From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Alex Bennée" <alex.bennee@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Pierrick Bouvier" <pierrick.bouvier@oss.qualcomm.com>,
"Thomas Huth" <thuth@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Mauro Matteo Cascella" <mcascell@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [qemu-web PATCH v2 0/3] switch to GitLab confidential issues for security disclosure
Date: Thu, 18 Jun 2026 14:20:55 +0100 [thread overview]
Message-ID: <20260618132058.1044341-1-berrange@redhat.com> (raw)
I previously raised the idea of using GitLab issues for security
disclosures:
https://lists.gnu.org/archive/html/qemu-devel/2026-05/msg04582.html
This patch proposal formalizes that into a concrete proposal:
* qemu-security is entirely discontinued
* "confidential" GitLab issues are to be used
* The priority is to have a low overhead process that is
as close to normal bug & development workflow as
possible.
* No embargoes will be accepted, beyond the time needed
for a maintainer to develop a patch, unless extenuating
scenarios apply. A vendor's/user's desire to delay to
suit their arbitrary software upgrade schedule is NOT
an extenuating scenario.
* All confidential issues will be expected to be made
public, either when the patch is proposed to qemu-devel,
or sooner if a issue is low severity and a patch is not
a priority for the manitainer
* Eliminate dependency on any single maintainer/person to
the greatest extent practical
With the move to use of the issue tracker, my intention is to
use a script to bulk import all disclosures received by
qemu-security@nongnu.org since March 1st 2026. The imported
issues will reflect the current triage / resolution state of
each disclosure. IOW, completed issues will be immediately
marked closed upon import, non-virt use cases issues will be
marked public, and outstanding virt use case issues will
remain confidential.
The issue description will *NOT* be re-formatted according to
the QEMU bug template. Most disclosures have been provided
via email in markdown format, so this will be imported 'as is'
as the full description with no editting.
The "reporter" in these cases will be a throwaway "bot" account
but the orignal reporter's name, email, date and message-id will
be recorded.
Daniel P. Berrangé (3):
contribute: reformat/restructure bug report guidance
contribute: add automated tool disclosure to bug reporting
contribute: switch security process to gitlab confidential issues
contribute/report-a-bug.md | 63 ++++---
contribute/security-process.md | 309 +++++++++++++++------------------
2 files changed, 184 insertions(+), 188 deletions(-)
--
2.54.0
next reply other threads:[~2026-06-18 13:21 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 13:20 Daniel P. Berrangé [this message]
2026-06-18 13:20 ` [qemu-web PATCH v2 1/3] contribute: reformat/restructure bug report guidance Daniel P. Berrangé
2026-06-18 13:40 ` Alex Bennée
2026-06-18 13:55 ` Philippe Mathieu-Daudé
2026-06-18 13:20 ` [qemu-web PATCH v2 2/3] contribute: add automated tool disclosure to bug reporting Daniel P. Berrangé
2026-06-18 13:41 ` Alex Bennée
2026-06-18 13:20 ` [qemu-web PATCH v2 3/3] contribute: switch security process to gitlab confidential issues Daniel P. Berrangé
2026-06-18 13:42 ` Alex Bennée
2026-06-18 14:07 ` Philippe Mathieu-Daudé
2026-06-18 14:20 ` Daniel P. Berrangé
2026-06-18 14:28 ` Philippe Mathieu-Daudé
2026-06-18 14:42 ` Michael S. Tsirkin
2026-06-18 15:06 ` Daniel P. Berrangé
2026-06-18 15:51 ` Michael S. Tsirkin
2026-06-18 14:49 ` Mauro Matteo Cascella
2026-06-18 15:30 ` Michael S. Tsirkin
2026-06-18 16:07 ` Daniel P. Berrangé
2026-06-18 16:23 ` Michael S. Tsirkin
2026-06-18 16:33 ` Daniel P. Berrangé
2026-06-18 16:39 ` Michael S. Tsirkin
2026-06-18 16:55 ` Daniel P. Berrangé
2026-06-18 17:03 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618132058.1044341-1-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=mcascell@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pierrick.bouvier@oss.qualcomm.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.