Re: [RFC 1/1] security-process: update process information

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC 1/1] security-process: update process information

From:	P J P
Subject:	Re: [RFC 1/1] security-process: update process information
Date:	Wed, 25 Nov 2020 18:18:56 +0530 (IST)

  Hello Darren, all

+-- On Tue, 24 Nov 2020, Darren Kenny wrote --+
| I always understood triage to be the initial steps in assessing a bug:
| 
| - determining if it is a security bug, in this case
| - then deciding on the severity of it
|
| I would not expect triage to include seeing it through to the point
| where there is a fix as in the steps above and as such that definition
| of triage should probably have a shorter time frame.

* Yes, initial triage is to determine if a given issue is a security one and 
  its impact if so.

* After above step, an upstream bug (or GitLab issue) shall be filed if the
  issue can be made public readily and does not need an embargo period.

* Following step about creating a patch is needed considering the influx of 
  these issues. If such a patch is not proposed at this time, we risk having 
  numerous CVE bugs open and unfixed without a patch.

* Sometimes proposed patches take long time to get merged upstream. Hence the 
  60 days time frame.

* It does not mean issue report will remain private for 60 days, nope.


| But, if it is a security bug - then that is when the next steps would be
| taken, to (not necessarily in this order):
| 
| - negotiate an embargo (should the predefined 60 days be insufficient)
|
|   - don't know if you need to mention that this would include downstream
|     in this too, since they will be the ones most likely to need the
|     time to distribute a fix

* Embargo period is negotiated for important/critical issues. Such embargo 
  period is generally not more than 2 weeks.

* Yes, embargo process includes notifying various downstream communities about 
  the issue, its fix(es) and co-ordinating disclosure.

| - request a CVE
| - create a fix for upstream
|   - distros can work on bringing that back into downstream as needed,
|     within the embargo period
| 
| I do feel that it is worth separating the 2 phases of triage and beyond,
| but of course that is only my thoughts on it, I'm sure others will have
| theirs.

* Yes, I appreciate it, thanks so much for sharing.

* This patch is to get the qemu-security list up and running. I'll refine the 
  process further with above/more details as we start using it. Hope that's 
  okay.


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

[Prev in Thread]

Current Thread

[Next in Thread]

[RFC 0/1] security-process: update with mailing list details, P J P, 2020/11/24
- [RFC 1/1] security-process: update process information, P J P, 2020/11/24
  - Re: [RFC 1/1] security-process: update process information, Darren Kenny, 2020/11/24
    - Re: [RFC 1/1] security-process: update process information, P J P <=
    - Re: [RFC 1/1] security-process: update process information, Darren Kenny, 2020/11/25

Prev by Date: Re: [PATCH for-6.0 2/8] spapr/xive: Introduce spapr_xive_nr_ends()
Next by Date: Re: [PATCH v3 3/7] support UFFD write fault processing in ram_save_iterate()
Previous by thread: Re: [RFC 1/1] security-process: update process information
Next by thread: Re: [RFC 1/1] security-process: update process information
Index(es):
- Date
- Thread