[Xen-devel] Possible improvement to Xen Security Response Process
According to https://xenbits.xen.org/xsa/ we are in the middle of 4 consecutive Tuesdays of security announcements: XSA-19[1-8] on Nov. 22, XSA-201 Nov. 29, XSA-199 Dec. 6 and XSA-200 Dec. 13. The present security policy does not encourage batching of XSAs and I would like us to consider refining the policy to permit this. The present approach of frequent security updates causes significant disruption to users. Many organisations test updates before deploying in production; because security updates are so important this displaces other work at short notice and doing so repeatedly is a significant impact to users of Xen. Updating the policy to encourage the batching of updates would reduce the load of using Xen. From a security purist point of view, any delay in publication could increase the possibility of vulnerabilities being exploited in the wild. However, given the significant frequency of publication of XSAs, I’d suggest that users failing to keep up with the publication rate is presently a much greater security risk. If XSAs were to be batched, we should also consider if batch updates should be encouraged to be on pre-defined dates. The present unpredictability makes it unnecessarily more difficult for users of Xen to plan their lives. For example, our present process causes organisations with few administrators to choose between cancelling holidays or not patching. Obviously, some issues are discussed in public before the security impact is realised (such as XSA-201); equally, the right to set a disclosure date (if any) rests with the discoverer. However, my experience of other software (which may not be typical) has been that discoverers are usually happy to go along with any reasonable proposed date given in the same way that discoverers of XSAs are usually happy to conform to our present policy. If this seems a good idea, then I’ll post a concrete proposal but I’d like to get general feedback first. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] Possible improvement to Xen Security Response Process
On Mon, 2016-12-05 at 11:24 -0800, Stefano Stabellini wrote: > On Mon, 5 Dec 2016, Jan Beulich wrote: > > >>> On 05.12.16 at 15:17, wrote: ... > > > Obviously, some issues are discussed in public before the security > > > impact is realised (such as XSA-201); equally, the right to set > > > a disclosure date (if any) rests with the discoverer. However, > > > my experience of other software (which may not be typical) has been > > > that discoverers are usually happy to go along with any reasonable > > > proposed date given in the same way that discoverers of XSAs are > > > usually happy to conform to our present policy. > > > > > > If this seems a good idea, then I’ll post a concrete proposal but > > > I’d like to get general feedback first. > > > > I think very much here depends on the concrete aspects of the > > proposal (timing, room for exceptions, etc). From just a general > > pov, I can see advantages and disadvantages to both, just like > > you've indicated yourself already. Also it shouldn't be left out of > > consideration that for less severe vulnerabilities consuming > > parties could decide for themselves whether to delay patching > > (and hence leverage batching); I'm not convinced it would be a > > good idea to require the XenProject Security Team to take this > > decision in all cases. > > Given that the disclosure date is always chosen by the discoverer, the > only thing the security team can do is to suggest. It could make sense > to have a policy to pick the date the team should propose to the > discoverer, but at the end of the day, it is always, entirely, up to > her. I agree; I'm suggesting changes to the dates that the security team would propose to a discoverer. It's clearly entirely up to the discoverer whether they accept the proposal or decide on a different date (and they are, of course, under no obligation to contact the security team in advance at all). It does seem that discoverers are usually kind enough to contact the security team and consent to the dates suggested by the present policy; we should respect that kindness by making best use of the flexibility offered as well as ensuring timely release. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] Possible improvement to Xen Security Response Process
On Wed, 2016-12-07 at 16:23 +, Ian Jackson wrote: > ... > I have an alternative concrete suggestion: > > Unless there are good reasons to diverge, our suggestions to > discoverer(s) will be based on the following criteria, in order of > precedence: > 1. Avoiding disclosure on Fridays, weekends, or on or immediately > before widely respected public holidays. > 2. Minimising the number of distinct publication dates > within each 14 day period. > 3. Making the preparation period for each advisory as close, > on a log scale, to 14 days as possible. > (The preparation period for an advisory is the period between > predisclosure and publication.) > ... > Bunfight, anyone ? > > > Ian. > (Responding with a personal opinion, and hence from a personal > email address. I haven't discussed this with my management at > Citrix.) > I'll join in the bunfight with a stronger proposal (noting in passing that according to https://xenbits.xen.org/xsa/ we are now expecting 5 consecutive weeks of XSA announcements): 1) Where practical, XSA public disclosures will be batched and announced once per month. 2) The calendar of disclosure dates will be published well in advance and will avoid Fridays, weekends, or dates on or immediately before widely respected public holidays. 3) Issues will normally have at least 14 days pre-disclosure; this means that an issue discovered immediately prior to a scheduled publication date will normally not be disclosed until the next publication date. Clearly there will be times when this can't be done; I am also aware that discoverers always have the final say. But both of those points apply to the current policy as well. I know that this would be a significant change. However, the present frequent and unpredictable nature of disclosures consumes a lot of time that would otherwise be better spent on contributing to and improving Xen. Matthew ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
