From: Stefan Hajnoczi <stefanha@gmail.com>
To: P J P <ppandit@redhat.com>
Cc: peter.maydell@linaro.org, sstabellini@kernel.org,
"Daniel P. Berrangé" <berrange@redhat.com>,
mst@redhat.com, michael.roth@amd.com,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Darren Kenny" <darren.kenny@oracle.com>,
pmatouse@redhat.com
Subject: Re: About 'qemu-security' mailing list
Date: Tue, 17 Nov 2020 16:19:42 +0000 [thread overview]
Message-ID: <20201117161942.GA147428@stefanha-x1.localdomain> (raw)
In-Reply-To: <20201117144612.GA140001@stefanha-x1.localdomain>
[-- Attachment #1: Type: text/plain, Size: 2311 bytes --]
On Tue, Nov 17, 2020 at 02:46:12PM +0000, Stefan Hajnoczi wrote:
> On Fri, Oct 16, 2020 at 07:47:01PM +0530, P J P wrote:
>
> I have CCed everyone from the Security Process wiki page so they can
> participate in discussing changes to the process.
>
> > * So ie. we need to:
> >
> > 1. Create/setup a regular non-encrypted 'qemu-security' list.
> >
> > 2. Invite representatives from user/downstream communities to subscribe to
> > it.
> >
> > 3. Collect & store their PGP public keys. Also create a key for the list.
> >
> > 4. Write 'encrypt & email' automation tool(s) to provide encryption support.
> >
> > 5. Document and publish above details and list workflow on a page.
> >
> >
> > ...wdyt?
>
> Writing/maintaining automation tools will take time so I suggest going
> with confidential GitLab Issues instead:
> https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html
>
> If you would like to test GitLab Issues, please post your username and
> you will be given the "Reporter" role so you can view confidential
> issues.
>
> I have created a confidential issue here (you'll get 404 if you don't
> have permissions to view it):
> https://gitlab.com/qemu-project/qemu/-/issues/2
>
> The intention is to migrate QEMU's bug tracker from Launchpad to GitLab
> so this will unify reporting regular bugs and security bugs. It also
> uses encryption all the time instead of relying on users explicitly
> encrypting emails.
Dan and I tried out confidential issues and unfortunately it is
currently too limited for our workflow.
It is not possible to add non-members to a confidential issue. Members
need at least the 'Reporter' role to view confidential issues, and then
they can view all of them (!).
This means there is no way of working on a need-to-know basis. We would
have to give anyone who ever needs to comment on an issue access to all
other issues :(.
Dan found this open feature request from 2 years ago:
https://gitlab.com/gitlab-org/gitlab/-/issues/20252
For now I think we should stick to email. I'm still concerned about the
prospect of writing custom mailing list software and hosting it
somewhere. Can we run an encrypted mailing list without developing the
software ourselves?
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2020-11-17 16:20 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-11 14:20 About 'qemu-security' mailing list P J P
2020-09-11 15:27 ` Li Qiang
2020-09-11 15:40 ` Alexander Bulekov
2020-09-11 15:58 ` Alexander Bulekov
2020-09-18 7:33 ` P J P
2020-09-11 15:47 ` Daniel P. Berrangé
2020-09-11 15:51 ` Peter Maydell
2020-09-14 7:38 ` Philippe Mathieu-Daudé
2020-09-14 10:17 ` Stefan Hajnoczi
2020-09-14 8:54 ` Daniel P. Berrangé
2020-09-14 9:30 ` Peter Maydell
2020-09-14 10:15 ` Stefan Hajnoczi
2020-09-15 10:48 ` P J P
2020-09-16 11:10 ` Stefan Hajnoczi
2020-09-16 12:33 ` Peter Maydell
2020-09-16 13:06 ` Daniel P. Berrangé
2020-09-16 13:25 ` Thomas Huth
2020-09-16 13:30 ` Daniel P. Berrangé
2020-09-18 7:02 ` P J P
2020-09-30 11:46 ` P J P
2020-09-30 15:48 ` Darren Kenny
2020-10-01 10:35 ` P J P
2020-10-01 11:34 ` Darren Kenny
2020-10-01 13:57 ` Konrad Rzeszutek Wilk
2020-10-01 18:17 ` P J P
2020-10-16 14:17 ` P J P
2020-10-20 14:08 ` P J P
2020-11-03 11:18 ` P J P
2020-11-17 14:46 ` Stefan Hajnoczi
2020-11-17 16:19 ` Stefan Hajnoczi [this message]
2020-11-17 16:35 ` Daniel P. Berrangé
2020-11-18 10:32 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201117161942.GA147428@stefanha-x1.localdomain \
--to=stefanha@gmail.com \
--cc=berrange@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=michael.roth@amd.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pmatouse@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=sstabellini@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).