From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:39378)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aliguori@us.ibm.com>) id 1RjBbf-0003Fq-Kj
	for qemu-devel@nongnu.org; Fri, 06 Jan 2012 10:21:24 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <aliguori@us.ibm.com>) id 1RjBbe-0000YI-K2
	for qemu-devel@nongnu.org; Fri, 06 Jan 2012 10:21:23 -0500
Received: from e37.co.us.ibm.com ([32.97.110.158]:39155)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aliguori@us.ibm.com>) id 1RjBbe-0000YE-Eg
	for qemu-devel@nongnu.org; Fri, 06 Jan 2012 10:21:22 -0500
Received: from /spool/local
	by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <aliguori@us.ibm.com>;
	Fri, 6 Jan 2012 08:21:19 -0700
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by d03relay05.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q06FJohl082926
	for <qemu-devel@nongnu.org>; Fri, 6 Jan 2012 08:19:53 -0700
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id q06FJmf8005576
	for <qemu-devel@nongnu.org>; Fri, 6 Jan 2012 08:19:49 -0700
Message-ID: <4F071111.6080306@us.ibm.com>
Date: Fri, 06 Jan 2012 09:19:45 -0600
From: Anthony Liguori <aliguori@us.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] [RFC] QEMU Code Audit Team
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel <qemu-devel@nongnu.org>
Cc: Chris Wright <chrisw@redhat.com>, Corey Bryant <coreyb@linux.vnet.ibm.com>, Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>, Avi Kivity <avi@redhat.com>

Hi,

I had an idea I wanted to share and see what level of interest there was in 
participating and if anyone knows of a process that other projects follow for this.

I'd like to start a more formal and transparent security audit of QEMU.  The way 
I'd imagine it working is something like this:

1) People volunteer to be part of the audit team

2) Two people walk through a particular piece of code and independently flag 
anything that looks like a potential security issue.

3) Two people independently review everything that's flagged to see if there's a 
security issue.

Step (3) is something that requires a fairly deep understanding of QEMU but step 
(2) is probably something that a lot of people could participate in.

I'd want to focus initially on the common PC devices.   The list isn't all that 
large and a review like this should only take a few hours to complete each step.

Would folks be interested in participating in something like this?  If so, I can 
start organizing it.

Regards,

Anthony Liguori