From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Markus Armbruster <armbru@redhat.com>,
Wenxiang Qian <leonwxqian@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>, John Snow <jsnow@redhat.com>
Subject: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Date: Wed, 2 Dec 2020 14:36:38 +0100 [thread overview]
Message-ID: <7a5db04b-8ce7-476f-41a2-667459a4b0b0@redhat.com> (raw)
In-Reply-To: <212n55r-9n3q-8r4r-85p7-14n495r53s6n@erqung.pbz>
On 12/2/20 2:17 PM, P J P wrote:
> +-- On Tue, 1 Dec 2020, Philippe Mathieu-Daudé wrote --+
> | Is it possible to release the reproducer to the community, so we can work on
> | a fix and test it?
>
> * No, we can not release/share reproducers on a public list.
>
> * We can request reporters to do so by their volition.
>
[...]
>
> * Even then, we'll need to ask reporter's permission before sharing their
> reproducers on a public list OR with non-members.
>
> * Best is if reporters share/release reproducers themselves. Maybe we can have
> a public git repository and they can send a PR to include their reproducers
> in the repository.
While EDK2 security workflow has its own drawbacks (inherent
to the project), a fair part is to ask the reporter to attach
its reproducer to the private BZ, then when the embargo expires
the BZ becomes public (as the reproducer). Thus the community
can look at how the bug was handled, how it was reviewed/tested,
by who, etc.
https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues
>
> * That way multiple reproducers for the same issue can be held together.
next prev parent reply other threads:[~2020-12-02 13:37 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-18 14:27 [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end P J P
2020-11-27 13:57 ` P J P
2020-12-01 11:51 ` Paolo Bonzini
2020-12-01 15:00 ` P J P
2020-12-01 15:23 ` Philippe Mathieu-Daudé
2020-12-01 15:30 ` Peter Maydell
2020-12-01 15:42 ` Paolo Bonzini
2020-12-01 15:30 ` Paolo Bonzini
2020-12-01 15:30 ` Paolo Bonzini
2020-12-02 7:07 ` Markus Armbruster
2020-12-02 13:17 ` P J P
2020-12-02 13:33 ` Paolo Bonzini
2020-12-02 13:36 ` Philippe Mathieu-Daudé [this message]
2020-12-03 9:48 ` P J P
2020-12-11 8:23 ` Wenxiang Qian
2020-12-11 8:32 ` Wenxiang Qian
2020-12-11 11:46 ` Paolo Bonzini
2020-12-11 11:45 ` Paolo Bonzini
2020-12-11 14:16 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a5db04b-8ce7-476f-41a2-667459a4b0b0@redhat.com \
--to=philmd@redhat.com \
--cc=armbru@redhat.com \
--cc=jsnow@redhat.com \
--cc=leonwxqian@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).