[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: About 'qemu-security' mailing list

From: Thomas Huth
Subject: Re: About 'qemu-security' mailing list
Date: Wed, 16 Sep 2020 15:25:45 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0

On 16/09/2020 15.06, Daniel P. Berrangé wrote:
> On Wed, Sep 16, 2020 at 01:33:38PM +0100, Peter Maydell wrote:
>> On Wed, 16 Sep 2020 at 12:10, Stefan Hajnoczi <stefanha@gmail.com> wrote:
>>> I think it's worth investigating whether GitLab Issues can be configured
>>> in a secure-enough way for security bug reporting. That way HTTPS is
>>> used and only GitLab stores the confidential information (this isn't
>>> end-to-end encryption but seems better than unencrypted SMTP and
>>> plaintext emails copied across machines).
>> Given that we currently use launchpad for bugs we should also look
>> at whether launchpad's "private security" bug classification would
>> be useful for us (currently such bug reports effectively go to /dev/null
>> but this can be fixed).

I've somehow managed to subscribe myself to our private LP bugs, so I
get notified if there is a new one.

> Using a bug tracker has the notable advantage over direct email CC's
> that if the security triage team needs to pull in a  domain specific
> expert, that newly added person can still see the full history of
> discussion on the bug.
> With individual email CC's, the previous discussions are essentially
> a information blackhole until the security triage team is good enough
> to forward the full discussion history (this essentially never happens
> in IME). Mailing list also has that easy archive access benefit.
> Is it possible to setup people to be able to view launchpad private
> bugs, without also making them full admins for the QEMU launchpad
> project ?

Honestly, I'd rather like use to move to the gitlab bug tracker instead
of extending our use of the launchpad tracker. LP is IMHO a really ugly
bug tracking tool.

> Does launchpad still send clear text email notifications to the
> permitted admins for private bugs ? I recall I used to get clear
> text emails for private bugs in the past for non-QEMU projects.

IIRC, yes, the email notifications for the private bugs are still send
without encryption.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]