On Fri, Oct 27, 2023 at 3:26 PM George Dunlap <[email protected]> wrote: > > We recently had a situation where a security issue was discovered > which only affected versions of Xen out of security support from an > upstream perspective. However, many downstreams (including XenServer > and SUSE) still had supported products based on the versions affected. > > Specify what the security team will do in this situation in the > future. As always, the goal here is to be fair and helpful, without > adding to the workload of the security team. Inviting downstreams to > list versions and ranges, as well as expecting them to be involved in > the patch, gives organizations without representation in the security > team the opportunity to decide to engage in the security process. At > the same time, it puts he onus of determining which products and which > versions might be affected, as well as the core work of creating and > testing a patch, on downstreams. > > Signed-off-by: George Dunlap <[email protected]> > --- > The entire security-process.pandoc file can be found here: > > https://gitlab.com/xen-project/people/gdunlap/old-governance
...and you can see this as a pull request here: https://gitlab.com/xen-project/people/gdunlap/old-governance/-/merge_requests/1 -George
