This is what my caveat is intended to address.
Feel free to get advice but I can assure you that this is a
non-issue.
If the vulnerability were in a component that were distributed to the
users then 1. the GPL would be engaged 2. my caveat would be violated.
It may be that this wording should be improved since obviously it
isn't clear enough.
It might be worth looking at constructing some some hypothetical or
historical applications and judging them against these criteria.
So far, what the security team have done is use online machine
translation services. That seems to have been sufficient so far.

Ian.

Having gone through the thread, I've prepared a three-part new
proposal email.

I. Deployment with Security Team Permission
II. Predisclosure list memembership
III. Information sharing
IV. Fixes which seem to have rough consensus as they were

Perhaps I should be checking the current web page out as a git tree
and preparing a patch series ?

Thanks,
Ian.


I. Deployment with Security Team Permission
===========================================

Permitting deployment during embargo seemed to have rough consensus on
the principle. We seemed to be converging on the idea that the
Security Team should explicitly set deployment restrictions for each
set of patches. So I suggest something like this:

List members may deploy fixed versions during the embargo, only with
permission from the Security Team. The Security Team will normally
permit such deployment, even for systems where VMs are managed or
used by non-members of the predisclosure risk. Permission for
deployment, and any restrictions, will be stated in the embargoed
advisory text.

The Security Team will impose deployment restrictions only insofar
as it is necessary to prevent the exposure of technicalities (for
example, differences in behaviour) which present a significant risk
of rediscovery of the vulnerability. Such situations are expected
to be rare.



II. Predisclosure list memembership
===================================

The idea of objective criteria seemed to find favour, and the general
scheme I proposed.

Lars suggested we should "test" this. I think therefore that we
should invite a participants in this thread to write up and post
applications which we can then test against the proposed policy. But
we should probably wait until we have rough consensus on the new
policy shape.

I have dropped the section about bad websites. I don't think its lack
will make much difference to the way applications are processed in
practice, and I still think documenting the issue would be useful, but
it's clear that I'm not going to get consensus for it.

Changes that I have made are:
- Applications to be made, and decisions sent, to a public mailing list
- Explicitly say that the Security Team decide and that they have no
discretion
- Explicitly say that there is appeal to the project governance process
(Lars: perhaps this should say something different or more specific?)


So as I said before, applicants should be required to:

- Provide information on their public web pages which makes
it clear that and why they are eligible;

- Specifically, publicly state that and how they are using Xen
(so that the Security Team can verify eligibility);

- Provide a way for members of the public to responsibly report
security problems to the applicant, just as the Xen Project does.

The Security Team should be forbidden from trying to hunt down
eligibility information etc. and should instead be mandated to reject
incomplete requests.

Specifically, I propose that the section on list membership
applications be entirely replaced with this:

Organisations who meet the criteria should contact
predisclosure-***@xenproject if they wish to receive
pre-disclosure of advisories. That is a public mailing list.

You must include in the e-mail:

* The name of your organization.

* Domain name(s) which you use to provide Xen software/services.

* A brief description of why you fit the criteria.

* If not all of your products/services use Xen, a list of (some
of) your products/services (or categories thereof) which do.

* Link(s) to current public web pages, belonging to your
organisation, for each of following pieces of information:

o Evidence of your status as a service/software provider:
+ If you are a public hosting provider, your public rates
or how to get a quote
+ If you are a software provider, how your
software can be downloaded or purchased
+ If you are an open-source project, a mailing list
archive and/or version control repository, with
active development

o Evidence of your status as a user of Xen:
+ Statements about, or descriptions of, your eligible
production services or released software, from which it is
immediately evident that they use Xen.

o Information about your handling of security problems:
+ Your invitation to members of the public, who discover
security problems with your products/services, to report
them in confidence to you;
+ Specifically, the contact information (email addresses or
other contact instructions) which such a member of the
public should use.

Blog postings, conference presentations, social media pages,
Flash presentations, videos, sites which require registration,
anything password-protected, etc., are not acceptable. PDFs of
reasonable size are acceptable so long as the URL you provide is
of a ordinary HTML page providing a link to the PDF.

If the pages are long and/or PDFs are involved, your email
should say which part of the pages and documents are relevant.

* A statement to the effect that you have read this policy and
agree to abide by the terms for inclusion in the list,
specifically the requirements regarding confidentiality during
an embargo period.

* The single (non-personal) email alias you wish added to the
predisclosure list.

Your application will be determined by the Xen Project Security
Team, and their decision posted to the list. The Security Team has
no discretion to accept applications which do not provide all of the
information required above.

If you are dissatisfied with the Security Team's decision you may
appeal it via the Xen Project's governance processes.



III. Information-sharing
========================

Permitting sharing of embargoed fixes amongst predisclosure list
seemed to have rough consensus in principle. There was some
discussion about the details. I remain convinced that my previous
proposal is correct and I think we should be able to get consensus for
it.

So I reproduce it (unchanged from my previous proposed wording):

List members are allowed to share fixes to embargoed issues,
analysis, etc., with the security teams of other list members.
Technical measures must be taken to prevents non-list-member
organisations, or unauthorised staff in list-member organisations,
from obtaining the embargoed materials.

The Xen Project provides the mailing list
xen-security-issues-***@lists.xenproject.org
for this purpose. List members are encouraged to use it but
may share with other list members' security teams via other
channels.

The -discuss list's distribution is identical to that of the primary
predisclosure list xen-security-issues. Recipient organisations who
do not wish to receive all of the traffic on -discuss should use
recipient-side email filtering based on the provided `List-Id'.

The -discuss list is moderated by the Xen Project Security Team.
Announcements of private availability of fixed versions, and
technical messages about embargoed advisories, will be approved.
Messages dealing with policy matters will be rejected with a
reference to the Security Team contact address and/or public Xen
mailing lists.


IV. Fixes which seem to have rough consensus as they were
=========================================================

(Reproduced unchanged from my previous proposed wording:)

The Security Team should not be invited to give permission
specifically for the release of patched software. I think the rider
was mistakenly merged into the final the bullet point in the list. It
should be separated out. Also, the predisclosure list members should
not be invited to consult the discoverer.

The note about CVE numbers should be moved into the list of
forbidden-disclosures, as a new bullet point. So overall I would
delete that whole paragraph about CVEs (we don't need the historical
information) and adjust the end of the forbidden disclosures to read:

...
* patched software (even in binary form)
* CVE number(s)
We should add just below the list of bullet points of things which may
be disclosed:

Where the list member is a service provider who intends to take
disruptive action such as rebooting as part of deploying a fix (see
above): the list member's communications to its users about the
service disruption may mention that the disruption is to correct a
security issue, and relate it to the public information about the
issue (as listed above).


--

On the other hand, small distros can enlist the help of other people
on the list to help produce / test fixes. XenServer has a massive
testing framework that can be used to make sure there aren't any
accidental regressions before they publish a patch; I assume SuSE and
Oracle have something similar. But how much testing bandwidth does
Debian have for security fixes? At the moment CentOS doesn't have an
automated framework: all testing for the XSA-108 update had to happen
by hand. Being able to bring in people on the list using the
xen4centos packages would have been helpful.

-George

I also was wondering whether it would make sense to put a time-limit on applications. For example, we could say that processing an application will take 2 weeks. By doing so, we avoid having to handle applications as a response to media speculation. If we get an application wrong, and allow somebody wrong on the list who then discloses information related to an embargo, we would create risks for others already on the list. This would be the worst possible outcome for the project. Just a thought

Regards
Lars

It's a risk but I think the benefit of having far fewer vulnerable
systems in production by the time the vulnerability is publically
disclosed outweighs the risk. Today we have a 100% probability that
there will be large numbers of vulnerable systems the day the
embargo is lifted.
I view fairness here as providing a level playing field for all
concerned. If we do allow sharing then it doesn't mandate that
distros will provide fixes ahead of the embargo being lifted but
allows them to do so if they wish. Each distro can chose its own
policy without artificial constraint.

Cheers,
James

Perhaps the right approach is to have a requalification process, where
each member's predisclosure list membership is reviewed periodically.

Ian.

Due to travel last week for LinuxCon EU and Linux Plumbers Conference
I've not been able to put together a reply to all the points raised a
the start of this thread.

On this point in particular, back in 2012 [1] I suggested that all
membership requests should be discussed in public on a community email
list like xen-devel, or another email list to avoid noise. The Xen
Project Security Team shouldn't have to evaluate petitions for
membership while managing an embargoed issue. I brought this up again
in 2013 [2] regarding the Coverity process.

This process works quite well for the distros email list, where
requests for membership requests are discussion on oss-security (a
public list). Protecting embargoed details should be our primary
concern here, and every time we increase the distribution of this
information we are increasing the risk it will leak. This deserves a
rigorous public debate, not a decision made under fire or undue
pressure.

--msw

[1] http://lists.xenproject.org/archives/html/xen-devel/2012-07/msg00122.html
[2] http://lists.xenproject.org/archives/html/xen-devel/2013-08/msg03085.html

I don't think members of the security team should be expected to
either (a) set up a parallel sandboxed web browsing infrastructure,
and keep that sandbox highly available so that it can be used during a
security crisis, or (b) expose themselves to attacks of various kinds.

The security list is very different to most of the situations where I
am currently expecting to use my crud-enabled browser (as you so aptly
put it). At the moment I use my crud-enabled browser when I am
expecting to spend money, or engage with organisations that I already
have a relationship with. That is, where I have already made a
decision to trust the entity whose webshite I'm trying to look at.

I am not personally willing to take random URLs sent to me in email
from strangers and simply visit them in my usual crud-enabled browser
- the same browser I use for my internet banking. I do have a
*sandboxed* crud-enabled browser but it lives at home on a machine
which has restricted access to and from the rest of my network - and I
certainly wouldn't want to try to let it display on my Trusted
Computing Base.

I think that people who want to be on the predisclosure list should
make matters easy for the security team. I think it therefore is only
fair to say that an application might be delayed if the team member
who happens to deal with the application can't conveniently access the
evidence that the applicant is supposed to provide.

And that an application might be rejected entirely if insufficiently
many members of the team are able to access, and hence verify, the
information provided.


Or to put it another way: if the Xen Project community decides to
reject an explicit statement along the lines I propose above, that
won't mean that I will put my own security and privacy at risk when
dealing with predisclosure list applications.

So those applications might be delayed anyway, unless other members of
the team want to take up the slack. Of course if the community
doesn't like my attitude, they're free to get rid of me.

Ian.

+1

We already have a definition of eligibility for membership of the
pre-disclosure list and therefore I don't think it is necessary or
desirable to further constrain specific privileges to subsets of the
list members.

Cheers,
James

Good question. Primarily because I anticipate two potential failure
modes:

1. People posting non-password-protected URLs, or the like. If the
list is moderated we can notice this quickly and hopefully have
things taken down.

2. Predisclosure list members using the embargoed-information-sharing
forum as a venue for political consensus-building, planning, and
pressurising.

Of these I am most worried about the 2nd.

We have already suffered from a few very dramatic incidents, where
predisclosure list members used their privileged informational
position to try to gain advantage in policymaking and policy
interpretation.

The idea that the predisclosure list members are somehow the most
proper or most real stakeholders and that it is their opinion which
ought to count is distressingly prevalent - especially, it appears,
amongst some of the senior management of some predisclosure list
members. When a security crisis is in full swing, such management
often becomes involved. As I say we have had multiple occasions
where intense political pressure was applied.

It would be a very bad idea to explicitly provide a forum which
predisclosure list members - whose interests are ill-aligned with
those of the public at large - could use for confidential lobbying,
political coordination, and networking. (It might even be illegal;
private collusion by predisclosure list members to manipulate
policymaking might well sometimes be illegal in any case.)

If the list is to be unmoderated, at the very least, we would need an
automatic mechanism which would publish all of the exchanges on a
particular issue at the end of its embargo. ATM we don't have
software to do that.
Thanks for pointing out this problem.

This was not intended to be a constraint; it was intended to mean
`_even_ those who are service providers'. Since it was previously
`obvious' that people with private Xen deployments can deploy fixes
when they get them.

I will make a revised proposal for wording in this area.
As a member of the Security Team I would like to be able to say `sorry
your application did not qualify'. I don't want to have to say `sorry
your application didn't quite meet the criteria and we have chosen not
to exercise our discretion'.

Thanks,
Ian.

The changes on the table are really more practical and aim at demonstrating a) use of Xen and b) a mature security vulnerability process. So I don't think there is a contradiction with having criteria.
Maintainer(s) > committer(s) > project lead (> advisory board in some extremely rare circumstances) - in practice however, 99.99% of all issues get resolved at maintainers & committers stage without a vote. I cannot recall an issue where the project lead had to step in as long as I worked with the project and we never had the AB engaged.

To make this work within the existing governance, we would need the equivalent of maintainer(s) > committer(s) > project lead for the pre-disclosure list. We don't have to have a full hierarchy: a project lead makes no sense in this case, or the project lead would just be the Xen HV project lead. If we compare with oss-sec the equivalent of the committer is Alexander.

So I guess what I am saying is that this is doable, without governance changes.
I stated before that we hardly ever use the voting model for day-to-day activities. Only for process changes, new projects and committer/project lead elections. Personally, I believe that avoiding a formal vote in this case is preferable.

So the question then would be who would be the owner (aka maintainer and/or committer) of the security pre-disclosure list. The only natural candidates we have right now are members of the Security Team. Of course this may evolve over time, in particular if people who have already a standing in the wider FOSS security community get actively engaged with the process.

So assuming that someone from the Security Team is willing to step up, and the community agrees, this could be done. But in practice, the burden would still fall onto members of Security Team and all we would change is to create more transparency - at least in the short term. Please do correct me, if you think I am wrong.
That is OK. A bit of a filter on the seriousness of someone requesting to be on the list.

Regards
Lars