On Fri, Jan 11, 2013 at 02:20:49PM -0800, John Kinsella wrote: > Everyone - as we're trying to define the ACS security response plan, we > started considering the idea of a pre-disclosure mailing list. Membership > would consist of security teams from organizations that have large > installations of ACS upon which their business is critical. The idea > was based on Xen's pre-disclosure list[1]. After we (PPMC) discussed > and invited thoughts from secur...@apache.org, it was suggested that > we get feedback from the general development community. I'll summarize > the discussion points below, but would love to hear further thoughts or > comments from everyone.
Thanks for taking lead on that and starting this discussion. > * The initial thought was to have the list for distributions that include > ACS, but expanded to consider organizations with Significant installations. > * For organizations who have decided to base their business (or a good chunk > of it) on ACS, advance notice allows them a chance to mitigate security > issues which could cause significant operational issues before general > release to the public. > * Having an pre-disclosure list, though, means we would need to manage who > gets on and who doesn't. Membership would have to be limited by either > install size, criticality of the install base, or some other similar metric. > If we don't limit membership, it's the same as just doing a public > announcement. > * Some are worried that management of this list could be significant work or > cause stress in the community. > * We'd have to keep the pre-disclosure advance notice timeframe fairly small, > otherwise it'll leak out without responsible control on our behalf. > * In some cases, individuals have seen vulnerability reports demand that > certain organizations do not get pre-disclosure. So that's something we might > have to deal with. > * One question is if membership should be limited to organizations who have > individuals who contribute to the project, or if it should be open to anyone. > The concept being "why should they get something from us when we get nothing > from them?" > * One suggestion was to use the pre-disclosure list not so much as an > advanced-warning list, but as a QA list, allowing folks to review the > announcement before it is published for general consumption. The intent here is good: We want to help users of CloudStack and ensure that any security issues are as minimally disruptive as possible. I wonder about the effect, though. Essentially this would be saying "some users are more important than others" based on size or some other criteria. Now - we've talked about being packaged in Linux distributions recently. I think we can make a case for a pre-disclosure list of downstreams security teams, if they're packaging + shipping Apache CloudStack. The number of vendors/projects would be fairly manageable. The other argument is that we need to give downstreams time to apply patches or whatever so they can ship them to their users. Note that would also fit with it being a QA list. If we're serious about being in Linux distros, we need to think about how we'd work with them on security issues. But having a list of organizations that use CloudStack, judged by the "significance" of their installation... I'm not comfortable telling a user of CloudStack "sorry, you don't merit early notification of security bugs because your installation isn't big enough." Best, jzb -- Joe Brockmeier http://dissociatedpress.net/ Twitter: @jzb
