qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosu

From: Liguori, Anthony
Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure
Date: Mon, 28 Apr 2014 13:57:26 +0000 
https://lists.nongnu.org/mailman/admin/qemu-security

Has been created but it will take 24-48 hours for Savannah to do it's thing.  
I'll send out the mailing list password to Michael and Peter once it is created.

Regards,

Anthony Liguori

________________________________________
From: Michael S. Tsirkin address@hidden
Sent: Monday, April 28, 2014 6:39 AM
To: Peter Maydell
Cc: Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber; Liguori, 
Anthony
Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible 
disclosure

On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote:
> On 17 April 2014 19:54, Michael S. Tsirkin <address@hidden> wrote:
> > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote:
> >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <address@hidden> wrote:
> >> > People sometimes detect security issues in upstream
> >> > QEMU and don't know where to report them in a non-public way.
> >> > Of course whoever just wants full disclosure can just go public,
> >> > but there's nothing specified for non-public - until recently Anthony
> >> > was doing this informally.
> >> >
> >> > As I started doing this recently anyway, I can handle this on the QEMU 
> >> > side
> >> > in a more formal way.
> >> >
> >> > Adding a secalert mailing list as well - they are the ones who is 
> >> > actually
> >> > opening CVEs, communicating issues to all downstreams etc,
> >> > and they are already handling this for upstream, not just Red Hat.
> >> >
> >> > Keeping Anthony's address around in case he wants to be informed.
> >> >
> >> > Signed-off-by: Michael S. Tsirkin <address@hidden>
> >>
> >> What about using address@hidden and creating that as a
> >> moderated mailing list with no public archive?
> >>
> >> That way there's a single contact point and there can be many people
> >> backing it up to make sure that disclosures are handled very quickly.
>
> >
> > Also I'd like a more explicit name, we don't want general
> > security related discussions on that list.
> > address@hidden
> > ?
>
> OK, so do we want to:
> (a) commit this patch as-is
> (b) set up the proposed mailing list?
>
> If (b), who has the admin rights to do that?
>
> I don't feel strongly either way.
>
> thanks
> -- PMM

Way I see it, as long as it has the same people, it probably doesn't matter :)
We can get around to creating a list if/when more people
volunteer.

I also think we want people to have the option to communicate with pgp.

Some searches I found mailman patches for pgp support:
http://non-gnu.uvt.nl/mailman-pgp-smime/

but without that, we really need to list individual people for now.

--
MST
reply via email to
[Prev in Thread] Current Thread [Next in Thread]