From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [Qemu-devel] KVM call agenda for 2014-04-28
Date: Tue, 29 Apr 2014 15:57:42 +0300
Message-ID: <20140429125742.GA17873@redhat.com>
References: <8738gxgary.fsf@elfo.mitica>
 <8761ltwjqt.fsf@blackfin.pond.sub.org>
 <20140429055124.GA12031@redhat.com>
 <CAFEAcA9jv5JxhGa+0pDhYC6JO9dACXGpWNNYm=-NMPtoxO7aVw@mail.gmail.com>
 <20140429100948.GB15521@redhat.com>
 <CAFEAcA-=f=3+Cbur2mxrh42-E8j_pexj3XacpGh-NmLbei-7jg@mail.gmail.com>
 <87oazktivd.fsf@blackfin.pond.sub.org>
 <20140429125558.GA3079@redhat.com>
 <87d2g0s1mz.fsf@blackfin.pond.sub.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "Daniel P. Berrange" <berrange@redhat.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	qemu list <qemu-devel@nongnu.org>,
	KVM devel mailing list <kvm@vger.kernel.org>,
	Juan Quintela <quintela@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:63738 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752687AbaD2N4o (ORCPT <rfc822;kvm@vger.kernel.org>);
	Tue, 29 Apr 2014 09:56:44 -0400
Content-Disposition: inline
In-Reply-To: <87d2g0s1mz.fsf@blackfin.pond.sub.org>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Tue, Apr 29, 2014 at 03:31:32PM +0200, Markus Armbruster wrote:
> "Daniel P. Berrange" <berrange@redhat.com> writes:
> 
> > On Tue, Apr 29, 2014 at 02:33:58PM +0200, Markus Armbruster wrote:
> >> Peter Maydell <peter.maydell@linaro.org> writes:
> >> 
> >> > On 29 April 2014 11:09, Michael S. Tsirkin <mst@redhat.com> wrote:
> >> >> Let's just make clear how to contact us securely, when to contact that
> >> >> list, and what we'll do with the info.  I cobbled together the
> >> >> following:
> >> >> http://wiki.qemu.org/SecurityProcess
> >> >
> >> > Looks generally OK I guess. I'd drop the 'how to use pgp' section --
> >> > anybody who cares will already know how to send us PGP email.
> >> 
> >> The first paragraph under "How to Contact Us Securely" is fine, the rest
> >> seems redundant for readers familiar with PGP, yet hardly sufficient for
> >> the rest.
> >> 
> >> One thing I like about Libvirt's Security Process page[*] is they give
> >> an idea on embargo duration.
> >
> > FWIW I picked the "2 weeks" length myself a completely arbitrary timeframe.
> > We haven't stuck to that strictly - we consider needs of each vulnerability
> > as it is triaged to determine the minimum practical embargo time. So think
> > of "2 weeks" as more of a guiding principal to show the world that we don't
> > believe in keeping issues under embargo for very long periods of time.
> 
> Pretty much the way I read it :)
> 
> The point I care about is a commitment to getting fixes out quickly,
> making clear we're not going to abuse "responsible disclosure" to cover
> dragging of feet and deflecting blame.

Well it does say right at the top:  "we aim to take immediate action to
address serious security-related problems that involve our product".
I don't see how by myself I can make a more specific commitment.
If multiple maintainers can make a stronger guarantee, we can
document it (it's a wiki :)

It won't be easy to retract a promise once given, so let's tread
carefully here.

-- 
MST