From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56408) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZYTou-0001iu-9F for qemu-devel@nongnu.org; Sun, 06 Sep 2015 02:52:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZYToq-0004tW-8z for qemu-devel@nongnu.org; Sun, 06 Sep 2015 02:52:56 -0400 Received: from szxga03-in.huawei.com ([119.145.14.66]:31831) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZYTop-0004qW-Lu for qemu-devel@nongnu.org; Sun, 06 Sep 2015 02:52:52 -0400 Message-ID: <55EBE1CC.6090104@huawei.com> Date: Sun, 6 Sep 2015 14:48:44 +0800 From: Gonglei MIME-Version: 1.0 References: In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] Minutes of QEMU Summit 2015 (2015-08-18, Seattle) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell , QEMU Developers On 2015/9/4 20:24, Peter Maydell wrote: > * Security process > * We've improved and documented our security process over the last > year or so, but it could still be improved. > * Big problem -- we fix CVEs on master, but we don't provide a stable > release with security fixes until the next time we would have > done a release anyway; this can mean we go for months without > any available stable release without known security issues. > * We could do a stable release immediately we have a CVE, but this > is obviously more work for our stable maintainer (Michael Roth). > We might get a few CVEs a cycle, though obviously it varies. I have another proposal: If we fix CVEs on master, we'd better have a place (maybe www.qemu.org?) to describe which stable releases are influenced. In this way, the user can fix these CVEs easier according to the Qemu versions which they used. Meanwhile, it doesn't have strong requires that release another stable version. Regards, -Gonglei