[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle)
|
From: |
Gonglei |
|
Subject: |
Re: [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle) |
|
Date: |
Sun, 6 Sep 2015 14:48:44 +0800 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 |
On 2015/9/4 20:24, Peter Maydell wrote:
> * Security process
> * We've improved and documented our security process over the last
> year or so, but it could still be improved.
> * Big problem -- we fix CVEs on master, but we don't provide a stable
> release with security fixes until the next time we would have
> done a release anyway; this can mean we go for months without
> any available stable release without known security issues.
> * We could do a stable release immediately we have a CVE, but this
> is obviously more work for our stable maintainer (Michael Roth).
> We might get a few CVEs a cycle, though obviously it varies.
I have another proposal:
If we fix CVEs on master, we'd better have a place (maybe www.qemu.org?)
to describe which stable releases are influenced. In this way, the user can fix
these CVEs
easier according to the Qemu versions which they used. Meanwhile, it doesn't
have
strong requires that release another stable version.
Regards,
-Gonglei
- [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle), Peter Maydell, 2015/09/04
- Re: [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle), Daniel P. Berrange, 2015/09/04
- Re: [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle), Stefan Weil, 2015/09/06
- Re: [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle),
Gonglei <=
- Re: [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle), Peter Crosthwaite, 2015/09/06