From: "Michael S. Tsirkin" <mst@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: "Daniel P. Berrange" <berrange@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
qemu list <qemu-devel@nongnu.org>,
KVM devel mailing list <kvm@vger.kernel.org>,
Juan Quintela <quintela@redhat.com>
Subject: Re: [Qemu-devel] KVM call agenda for 2014-04-28
Date: Tue, 29 Apr 2014 15:57:42 +0300 [thread overview]
Message-ID: <20140429125742.GA17873@redhat.com> (raw)
In-Reply-To: <87d2g0s1mz.fsf@blackfin.pond.sub.org>
On Tue, Apr 29, 2014 at 03:31:32PM +0200, Markus Armbruster wrote:
> "Daniel P. Berrange" <berrange@redhat.com> writes:
>
> > On Tue, Apr 29, 2014 at 02:33:58PM +0200, Markus Armbruster wrote:
> >> Peter Maydell <peter.maydell@linaro.org> writes:
> >>
> >> > On 29 April 2014 11:09, Michael S. Tsirkin <mst@redhat.com> wrote:
> >> >> Let's just make clear how to contact us securely, when to contact that
> >> >> list, and what we'll do with the info. I cobbled together the
> >> >> following:
> >> >> http://wiki.qemu.org/SecurityProcess
> >> >
> >> > Looks generally OK I guess. I'd drop the 'how to use pgp' section --
> >> > anybody who cares will already know how to send us PGP email.
> >>
> >> The first paragraph under "How to Contact Us Securely" is fine, the rest
> >> seems redundant for readers familiar with PGP, yet hardly sufficient for
> >> the rest.
> >>
> >> One thing I like about Libvirt's Security Process page[*] is they give
> >> an idea on embargo duration.
> >
> > FWIW I picked the "2 weeks" length myself a completely arbitrary timeframe.
> > We haven't stuck to that strictly - we consider needs of each vulnerability
> > as it is triaged to determine the minimum practical embargo time. So think
> > of "2 weeks" as more of a guiding principal to show the world that we don't
> > believe in keeping issues under embargo for very long periods of time.
>
> Pretty much the way I read it :)
>
> The point I care about is a commitment to getting fixes out quickly,
> making clear we're not going to abuse "responsible disclosure" to cover
> dragging of feet and deflecting blame.
Well it does say right at the top: "we aim to take immediate action to
address serious security-related problems that involve our product".
I don't see how by myself I can make a more specific commitment.
If multiple maintainers can make a stronger guarantee, we can
document it (it's a wiki :)
It won't be easy to retract a promise once given, so let's tread
carefully here.
--
MST
next prev parent reply other threads:[~2014-04-29 13:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-28 7:42 KVM call agenda for 2014-04-28 Juan Quintela
2014-04-28 7:44 ` Venkateswara Rao Nandigam
2014-04-29 12:33 ` Juan Quintela
2014-04-28 15:34 ` [Qemu-devel] " Markus Armbruster
2014-04-29 5:51 ` Michael S. Tsirkin
2014-04-29 8:56 ` [Qemu-devel] " Peter Maydell
2014-04-29 10:09 ` Michael S. Tsirkin
2014-04-29 11:20 ` Peter Maydell
2014-04-29 12:33 ` [Qemu-devel] " Markus Armbruster
2014-04-29 11:45 ` Michael S. Tsirkin
2014-04-29 12:55 ` Daniel P. Berrange
2014-04-29 13:31 ` [Qemu-devel] " Markus Armbruster
2014-04-29 12:57 ` Michael S. Tsirkin [this message]
2014-04-29 13:05 ` Stefan Hajnoczi
2014-04-29 8:54 ` Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140429125742.GA17873@redhat.com \
--to=mst@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox