Re: RFC: GitLab issues for security disclosures

["Alex Bennée" <alex.bennee@linaro.org>]

Daniel P. Berrangé <berrange@redhat.com> writes:

> The qemu-security mailing list was created several years back now and
> traditionally saw 1-2 disclosures a month at worst. This was manageable.
>
> Since approx March 1st, the new normal is to see as many as 20 disclosures
> in one single day, more than 200 in total now. This is unsustainable.
> I was thinking we needed more people on qemu-security to triage, but IMHO
> this won't really fix the problem.
>
<snip>
>
> Some key benefits of using GitLab for security disclosures
>
>  * We can trivially make disclosures public if we classify them
>    as a non-virtualization use case, or when the fix is ready.
>
>  * We can formally track the lifecycle of disclosures through to
>    the final fix, for both virtualization & non-virtualization
>    use cases. The only difference will be that the former can
>    request a CVE assignment
>
>  * We can do reports/queries of outstanding issues
>  
>  * We can more easily use automation to process issues
>
>  * Maintainers can see bugs without waiting for someone to triage
>    and forward it on their way.
>
>  * The small number of security bug triage people are no a bottle
>    neck anymore
>
> Some downsides/implications
>
>  * Every disclosure in a confidential issue will be visible to every
>    maintainer who has joined the qemu-project repo on GitLab. IOW
>    that is treating every maintainer as equally trusted.
>
>    We do have qemu-security though we could be mailed if someone
>    considered their disclosure to be severely impactful but the triage
>    team can't make that decision.
>
>  * We must NOT grant membership to qemu-project at a Reporter level
>    for anyone whom is not an active maintainer. They must be limited
>    to the "Guest" role at most.

We have currently have the following:

"dgibson, dgibson, 20"
"Cleber Rosa, cleber.gnu, 40"
"Stefan Hajnoczi, stefanha, 30"
"Paolo Bonzini, bonzini, 40"
"Michael Roth, mdroth, 30"
"John Snow, jsnow, 20"
"Daniel P. Berrangé, berrange, 20"
"Thomas Huth, thuth, 20"
"Philippe Mathieu-Daudé, philmd, 20"
"Qemu Janitor, qemu-janitor, 20"
"Richard Henderson, rth7680, 40"
"Marc-André Lureau, marcandre.lureau, 20"
"Cornelia Huck, cohuck, 20"
"Stefano Garzarella, sgarzarella, 20"
"Dr. David Alan Gilbert, dagrh, 20"
"Alexander Bulekov, a1xndr, 20"
"Greg Kurz, gkurz, 20"
"Laurent Vivier, lvivier, 20"
"Klaus Jensen, birkelund, 20"
"Hanna Czenczek, hreitz, 20"
"Stefan Weil, stweil, 20"
"Vladimir Sementsov-Ogievskiy, vsementsov, 20"
"Mark Cave-Ayland, mcayland, 20"
"Jason Wang, jasowang, 20"
"Gerd Hoffmann, kraxel, 20"
"Joaquin de Andres, xcancerberox, 20"
"Paul Zimmerman, pauldzim, 20"
"Warner Losh, bsdimp, 20"
"Eduardo Habkost, ehabkost, 20"
"Ani Sinha, anisinha, 20"
"Lars D, lars.dunemark, 20"
"Daniel Henrique Barboza, danielhb, 20"
"Christian Borntraeger, cborntra, 20"
"Alexander Graf, agraf, 20"
"Fam Zheng, famzheng, 20"
"Igor Mammedov, imammedo, 20"
"Cédric Le Goater, legoater, 20"
"Michael Tokarev, mjt0k, 40"
"Marc-André Lureau, marcandre.lureau-rh, 20"
"Alistair Francis, alistair23, 20"
"Emilio Cota, cota_, 20"
"David Woodhouse, dwmw2, 20"
"Eldon, eldondev, 40"
"Bastian Koppelmann, kbastian-qemu, 20"
"Cédric Le Goater, clegoate, 20"
"David Hildenbrand, davidhildenbrand, 20"
"Bin Meng, lbmeng, 20"
"Stefan Berger, stefanberger, 20"
"Alex Williamson, alex.williamson, 20"
"Eric Blake, ebblake, 20"
"Juan Quintela, juan.quintela, 20"
"MST, mstredhat, 20"
"Christian Schoenebeck, schoenebeck, 20"
"npiggin, npiggin, 20"
"Kostiantyn Kostiuk, kostyanf14, 20"
"Kevin Wolf, kmwolf, 30"
"Aihua Liang, aliang1, 20"
"Helge Deller, hdeller, 20"
"Fabiano Rosas, farosas, 20"
"Gustavo Romero, gusbromero, 20"
"Peter Krempa (work), pkrempa, 20"
"Harsh Prateek Bora, harshpb, 30"
"Jim MacArthur, jmacarthur, 20"
"Manos Pitsidianakis, epilys, 20"
"Brian Cain, brian-cain, 20"
"Anthony Roberts, anthony-linaro, 20"
"Pierrick Bouvier, pierrick.bouvier, 20"

>
>  * No one is formally responsible for GitLab issue triage. We have
>    had Thomas do it in the past periodically with script assistance.
>    We have Alex doing some of it now with bot assistance. The danger
>    is security disclosures get ignored as "somebody else's problem"
>    no one has accountability.
>
> With regards,
> Daniel

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro