Re: About 'qemu-security' mailing list

["Daniel P. Berrangé" <berrange@redhat.com>]

On Fri, Sep 11, 2020 at 04:51:49PM +0100, Peter Maydell wrote:
> On Fri, 11 Sep 2020 at 15:22, P J P <ppandit@redhat.com> wrote:
> > Proposal: (to address above limitations)
> > =========
> >
> > * We set up a new 'qemu-security' mailing list.
> >
> > * QEMU security issues are reported to this new list only.
> >
> > * Representatives from various communities subscribe to this list. (List maybe
> >    moderated in the beginning.)
> >
> > * As QEMU issues come in, participants on the 'qemu-security' list shall
> >    discuss and decide about how to triage them further.
> 
> Way way back, the idea of a qemu-security list was proposed, and
> it was decided against because there wasn't a clear way that
> people could send encrypted mail to the security team if it
> was just a mailing list. So that's why we have the "handful
> of individual contacts" approach. Is that still something people
> care about ?
> 
> My question is, who decides who's on the qemu-security list?
> Is this just "it's the same handful of contacts, but they
> have a mailing list for convenience" ? It sounds like you
> want it to be a larger grouping than that and maybe also
> want to use it as a mechanism for informing downstream distros
> etc about QEMU security issues, which is to say you're
> proposing an overhaul and change to our security process,
> not merely "we'd like to create a mailing list" ?

Yes, that is a reasonable description. 

Do we think the current QEMU security process is working well for the
community as a whole in terms of our downstream consumers learning about
security flaws in an appropriate timeframe and manner ?  

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|