Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-28 Thread George Dunlap
On 17/02/17 10:11, Lars Kurth wrote: > George, > > thanks for pulling this together. > >> On 14 Feb 2017, at 17:25, George Dunlap wrote: >> >> Here is version two, with minor revisions based on comments from version >> 1. Please give any feedback by 28 February. Thanks! > > I think we may nee

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-17 Thread Jan Beulich
>>> On 17.02.17 at 11:11, wrote: >> On 14 Feb 2017, at 17:25, George Dunlap wrote: >> 1c. The source is guest userspace, and the target is the guest kernel, >> or other guest userspace processes. >> >> This means, for instance, that bug which allows a guest kernel to >> perform a DoS on itself w

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-17 Thread Lars Kurth
George, thanks for pulling this together. > On 14 Feb 2017, at 17:25, George Dunlap wrote: > > Here is version two, with minor revisions based on comments from version > 1. Please give any feedback by 28 February. Thanks! I think we may need to take a step back on this, given the coverage of

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-15 Thread Jan Beulich
>>> On 15.02.17 at 17:37, wrote: > On 15/02/17 09:44, Jan Beulich wrote: > On 14.02.17 at 18:25, wrote: >>> 4. The security team will only issue an advisory if there is a known >>> combination of software in which the vulnerability can be exploited. >> >> Considering the following text, perh

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-15 Thread George Dunlap
On 15/02/17 09:44, Jan Beulich wrote: On 14.02.17 at 18:25, wrote: >> 4. The security team will only issue an advisory if there is a known >> combination of software in which the vulnerability can be exploited. > > Considering the following text, perhaps "may" would end up a little > less st

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-15 Thread Lars Kurth
George, I noticed that the blog post does not contain a link to the xen-devel@ discussion. I will add it Lars > On 15 Feb 2017, at 09:44, Jan Beulich wrote: > On 14.02.17 at 18:25, wrote: >> 4. The security team will only issue an advisory if there is a known >> combination of software in

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-15 Thread Jan Beulich
>>> On 14.02.17 at 18:25, wrote: > 4. The security team will only issue an advisory if there is a known > combination of software in which the vulnerability can be exploited. Considering the following text, perhaps "may" would end up a little less strict here than "can"? Or add "possibly"? Everyt

[Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued

2017-02-14 Thread George Dunlap
Here is version two, with minor revisions based on comments from version 1. Please give any feedback by 28 February. Thanks! Issuing advisories has a cost: It costs the security team significant amounts of time to craft and send the advisories; it costs many of our downstreams time to apply, bui