> On 5 Jun 2015, at 12:43, Ian Campbell <ian.campb...@citrix.com> wrote: > > On Fri, 2015-06-05 at 12:32 +0100, Lars Kurth wrote: >>> On 3 Jun 2015, at 10:35, Ian Campbell <ian.campb...@citrix.com> wrote: >>> >>> On Mon, 2015-06-01 at 10:36 +0100, Lars Kurth wrote: >>>> In the event that we do not have a patch available two working weeks >>>> before the disclosure date, we aim to send an advisory that reflects >>>> the current state of knowledge to the Xen security pre-disclosure >>>> list. An updated advisory will be published as soon as available. >>> >>> I'm a bit concerned about the conditions and frequency with which >>> updated advisories would be expected, but not enough to object, +1. >>> >>> Ian. >> >> Ian, would expect that this clause will only really kick in in rare >> situations, as in the Venom case, where we were waiting for a patch from a >> 3rd party. For example, if the security team almost has an advisory ready 2 >> weeks before the disclosure date, I wouldn't expect that anything would >> change and you just do what you have always done. I think the phrase "aim >> to" gives the security team enough flexibility. >> >> That was my interpretation of the text (or the intention). I just didn't >> want to over-codify the text. >> >> Does this make sense? > > Yep, and more importantly I can point to this mail if there is any > disagreement about the spirit of the text ;-) > > Ian.
Any more votes from committers? As far was I can see we had Konrad, Ian C and Tim voting. Ian J was on vacation last week and I forgot to CC Jan (apologies). Regards Lars _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
