From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, "Alex Bennée" <alex.bennee@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Pierrick Bouvier" <pierrick.bouvier@oss.qualcomm.com>,
"Thomas Huth" <thuth@redhat.com>,
"Mauro Matteo Cascella" <mcascell@redhat.com>
Subject: Re: [qemu-web PATCH v2 3/3] contribute: switch security process to gitlab confidential issues
Date: Thu, 18 Jun 2026 13:03:17 -0400 [thread overview]
Message-ID: <20260618130219-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <ajQjCHvJTqpvPzqz@redhat.com>
On Thu, Jun 18, 2026 at 05:55:36PM +0100, Daniel P. Berrangé wrote:
> On Thu, Jun 18, 2026 at 12:39:31PM -0400, Michael S. Tsirkin wrote:
> > On Thu, Jun 18, 2026 at 05:33:54PM +0100, Daniel P. Berrangé wrote:
> > > On Thu, Jun 18, 2026 at 12:23:46PM -0400, Michael S. Tsirkin wrote:
> > > > thanks! sorry probably just me being dense but some things
> > > > here I don't get. might be worth clarifying:
> > > >
> > > > On Thu, Jun 18, 2026 at 05:07:10PM +0100, Daniel P. Berrangé wrote:
> > > > > On Thu, Jun 18, 2026 at 11:30:29AM -0400, Michael S. Tsirkin wrote:
> > > > > > > + * The maintainer(s) will develop and/or review patch(es)
> > > > > > > + for the issue privately, optionally attaching work in
> > > > > > > + progress fixes to the GitLab issues.
> > > > > >
> > > > > > attaching how? how do i ask reported to test the fix?
> > > > > > was easy in the email flow.
> > > > >
> > > > > You can add arbitrary attachments in gitlab issue comments.
> > > > >
> > > > > > > All patches must
> > > > > > > + include the issue URL in the commit message(s).
> > > > > >
> > > > > > you mean the commit message of the patches I presume?
> > > > > > there's no commit at that point.
> > > > >
> > > > > Well I presume the maintainer will have a local git tree
> > > > > with a work-in-progress commit.
> > > >
> > > > sorry I don't get it.
> > > >
> > > > what does it have to do with patches then?
> > > >
> > > >
> > > > who cares about my local tree?
> > >
> > > If you fix a gitlab issue, the commit must contain the issue URL.
> > > That's normal practice we've followed forever and would now apply
> > > to security fixes too.
> >
> > Ah. You want a Fixes: tag maybe? Let's say so pls then.
> >
> > > >
> > > > and why is this mentioned twice?
> > >
> > > Mentioning twice is a mistake
> > >
> > >
> > > > > > > The
> > > > > > > + **"Workflow::In Progress"** label should be assigned when
> > > > > > > + a maintainer starts working on a fix.
> > > > > >
> > > > > > That's a bit heavy, and what is "working" anyway.
> > > > > > It's an issue tracker not a planning app.
> > > > > > Don't try to make it one.
> > > > >
> > > > > Various "Workflow::" labels are already present in our gitlab
> > > > > instance. We don't use them consistently - this text is just
> > > > > a pointer that the're there.
> > > > >
> > > >
> > > > maybe "can be assigned" then?
> > >
> > > Ok.
> > >
> > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > > + * When a CVE is allocated, it must be recorded as a comment on
> > > > > > > + the GitLab issue, and the **"CVE::Required"** label replaced by
> > > > > > > + the **"CVE::Assigned"** label.
> > > > > >
> > > > > > Recorded as a comment how exactly, in what format?
> > > > >
> > > > > In plain text.
> > > >
> > > > yes but in what format?
> > >
> > > Literally just "CVE-2026-1234" anywhere in the commit message as we've
> > > been donig for years.
> >
> > I suspect what we've been doing for years no longer scales or
> > we'd keep doing what we've been doing?
> >
> >
> > We desperately need something that is consumable by tooling,
> > and I just do not see how is a tool going to figure out
> > "this seems to be unrelated CVE-123" is irrelevant.
>
> It depends who you mean by "we" here ? From an upstream POV I don't
> think we care. We ship fixes in master.
Why do we bother with CVE numbers at all then?
> While it would be nice to
> have stable releases with all security fixes backported, we have
> never promised/offered that and with the volume we see, I don't
> think we should try to add such a promise either.
>
> IOW, consuming CVE fixes is largely a downstream problem. I'd
> recommend they start from the gitlab issues with Kind::Security
> and CVE::Assigned tags present, but beyon that its upto them.
Let's say they do it, how do they know the CVE number?
>
> With regards,
> Daniel
> --
> |: https://berrange.com ~~ https://hachyderm.io/@berrange :|
> |: https://libvirt.org ~~ https://entangle-photo.org :|
> |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
next prev parent reply other threads:[~2026-06-18 17:04 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 13:20 [qemu-web PATCH v2 0/3] switch to GitLab confidential issues for security disclosure Daniel P. Berrangé
2026-06-18 13:20 ` [qemu-web PATCH v2 1/3] contribute: reformat/restructure bug report guidance Daniel P. Berrangé
2026-06-18 13:40 ` Alex Bennée
2026-06-18 13:55 ` Philippe Mathieu-Daudé
2026-06-18 13:20 ` [qemu-web PATCH v2 2/3] contribute: add automated tool disclosure to bug reporting Daniel P. Berrangé
2026-06-18 13:41 ` Alex Bennée
2026-06-18 13:20 ` [qemu-web PATCH v2 3/3] contribute: switch security process to gitlab confidential issues Daniel P. Berrangé
2026-06-18 13:42 ` Alex Bennée
2026-06-18 14:07 ` Philippe Mathieu-Daudé
2026-06-18 14:20 ` Daniel P. Berrangé
2026-06-18 14:28 ` Philippe Mathieu-Daudé
2026-06-18 14:42 ` Michael S. Tsirkin
2026-06-18 15:06 ` Daniel P. Berrangé
2026-06-18 15:51 ` Michael S. Tsirkin
2026-06-18 14:49 ` Mauro Matteo Cascella
2026-06-18 15:30 ` Michael S. Tsirkin
2026-06-18 16:07 ` Daniel P. Berrangé
2026-06-18 16:23 ` Michael S. Tsirkin
2026-06-18 16:33 ` Daniel P. Berrangé
2026-06-18 16:39 ` Michael S. Tsirkin
2026-06-18 16:55 ` Daniel P. Berrangé
2026-06-18 17:03 ` Michael S. Tsirkin [this message]
2026-06-18 18:05 ` [qemu-web PATCH v2 0/3] switch to GitLab confidential issues for security disclosure Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618130219-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=berrange@redhat.com \
--cc=mcascell@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pierrick.bouvier@oss.qualcomm.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.