Re: About 'qemu-security' mailing list

[Peter Maydell]

On Mon, 14 Sep 2020 at 09:55, Daniel P. Berrangé <berrange@redhat.com> wrote:
> Do we think the current QEMU security process is working well for the
> community as a whole in terms of our downstream consumers learning about
> security flaws in an appropriate timeframe and manner ?

That sounds like a question we should be asking our distro contacts,
not guessing at amongst ourselves :-)

Personally, my view is that our current security process is
absolutely useless for anybody who isn't either (a) a distro
(b) using their distro's packaged QEMU (c) big enough to
effectively be acting as their own distro by tracking CVE
announcements and applying patches by hand -- because we don't
produce timely new upstream releases with security fixes.
So unless we want to change that, I think the key question
is "does this process work for the distros?", and I'm happy
if we make adjustments to fix whatever their problems with it
might be.

thanks
-- PMM