The Xen.org security response team is charged with implementing the
Xen security response process, the current version of which can be
found here:
http://www.xen.org/projects/security_vulnerability_process.html
Over the past two months we on that team have been involved with
XSA-7 / CVE-2012-0217 and its various fallout.
During this exercise we have encountered some problems with the
process. The process needs improvement. Also, we have had to make
some difficult decisions. We feel it is essential for keeping us
honest that we explain to the community what we did, and when.
A message starting this discussion has just been posted to the
xen-devel mailing list:
http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html
The outcome of this discussion will be a set of changes to be agreed
on and/or voted on using the existing Xen.org governance processes:
http://www.xen.org/projects/governance.html
This discussion will take place on xen-devel. We expect it to take
some weeks. We welcome the views of everyone in the Xen community -
please come and have your say.
Thanks for your attention,
Ian.
on behalf of the Xen.org security response team