qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] KVM call agenda for 2014-04-28

From: Markus Armbruster
Subject: Re: [Qemu-devel] KVM call agenda for 2014-04-28
Date: Tue, 29 Apr 2014 15:31:32 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux) 
"Daniel P. Berrange" <address@hidden> writes:

> On Tue, Apr 29, 2014 at 02:33:58PM +0200, Markus Armbruster wrote:
>> Peter Maydell <address@hidden> writes:
>> 
>> > On 29 April 2014 11:09, Michael S. Tsirkin <address@hidden> wrote:
>> >> Let's just make clear how to contact us securely, when to contact that
>> >> list, and what we'll do with the info.  I cobbled together the
>> >> following:
>> >> http://wiki.qemu.org/SecurityProcess
>> >
>> > Looks generally OK I guess. I'd drop the 'how to use pgp' section --
>> > anybody who cares will already know how to send us PGP email.
>> 
>> The first paragraph under "How to Contact Us Securely" is fine, the rest
>> seems redundant for readers familiar with PGP, yet hardly sufficient for
>> the rest.
>> 
>> One thing I like about Libvirt's Security Process page[*] is they give
>> an idea on embargo duration.
>
> FWIW I picked the "2 weeks" length myself a completely arbitrary timeframe.
> We haven't stuck to that strictly - we consider needs of each vulnerability
> as it is triaged to determine the minimum practical embargo time. So think
> of "2 weeks" as more of a guiding principal to show the world that we don't
> believe in keeping issues under embargo for very long periods of time.

Pretty much the way I read it :)

The point I care about is a commitment to getting fixes out quickly,
making clear we're not going to abuse "responsible disclosure" to cover
dragging of feet and deflecting blame.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]