On 3/1/19 2:48 PM, Ian Jackson wrote:
> Lars Kurth writes ("[PATCH] Minor security policy text changes to avoid
> ambiguity"):
>> See http://xenbits.xen.org/gitweb/?p=people/larsk/governance.git;a=summary
>> for the repository.
>
> I don't think in fact that there was previously any ambiguity. The
> text in the policy two paragraphs earlier explains in detail, and
> entirely explicitly and without any room for doubt, that distribution
> is prohibited.
>
> The misunderstanding arises through reading just the section on
> `deployment' out of context and then taking a wide reading of
> `deployment'.
>
> This is a common failure mode with any kind of document: the document
> is long or the reader is in a hurry or stressed, so they do not read
> all of it; they look for the part that seems to apply to them and
> misunderstand it, in haste. Also people tend to read what they want
> to hear.
>
> Adding more text far from the site of the misunderstanding does
> nothing to help this. Rather, it makes it worse: there is an
> antipattern in documents of this kind where every misunderstanding
> results in the addition of further repetitive text. The document then
> becomes longer, and reading the whole thing becomes harder and also
> less worthwhile.
>
> I think adding a small amount of text can be valuable, in important
> cases, if it is done right next to the site of the potential
> misunderstanding. In this case I think that means something more like
> the patch below.
>
> What do people think ?
>
> Thanks,
> Ian.
>
>
> commit 35ad94db90eb6d926416deeaddf8cc19b0f46ef1
> Author: Ian Jackson <ian.jack...@eu.citrix.com>
> Date: Fri Mar 1 14:40:06 2019 +0000
>
> Avoid misunderstanding of `deploy'
>
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their
> users only the following:
> - The assigned XSA number
> - The planned disclosure date
>
> List members may, if (and only if) the Security Team grants
> permission, deploy fixed versions {+on their own services+} during the
> embargo. {+(NB: Distribution of fixes is, mostly, prohibited; see above.)+}
> Permission for deployment, and any restrictions, will be stated in the
> embargoed advisory text.
>
> The Security Team will normally permit such deployment, even for systems where
> VMs are managed or used by non-members of the predisclosure list. The Security
>
>
>
> From 35ad94db90eb6d926416deeaddf8cc19b0f46ef1 Mon Sep 17 00:00:00 2001
> From: Ian Jackson <ian.jack...@eu.citrix.com>
> Date: Fri, 1 Mar 2019 14:40:06 +0000
> Subject: [PATCH] Avoid misunderstanding of `deploy'
>
> ---
> security-policy.pandoc | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/security-policy.pandoc b/security-policy.pandoc
> index 8e07384..af285be 100644
> --- a/security-policy.pandoc
> +++ b/security-policy.pandoc
> @@ -213,9 +213,11 @@ List members are allowed to make available to their
> users only the following:
> - The assigned XSA number
> - The planned disclosure date
>
> -List members may, if (and only if) the Security Team grants permission,
> deploy
> -fixed versions during the embargo. Permission for deployment, and any
> -restrictions, will be stated in the embargoed advisory text.
> +List members may, if (and only if) the Security Team grants
> +permission, deploy fixed versions on their own services during the
> +embargo. (NB: Distribution of fixes is, mostly, prohibited; see above.)
> +Permission for deployment, and any restrictions, will be stated in the
> +embargoed advisory text.
This change looks good to me -- has it been committed yet?
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
