Re: [RFC PATCH v2 01/10] AGENTS.md: add basic AGENTS.md for QEMU

["Alex Bennée" <alex.bennee@linaro.org>]

Peter Maydell <peter.maydell@linaro.org> writes:

> On Mon, 11 May 2026 at 18:06, Alex Bennée <alex.bennee@linaro.org> wrote:
>>
>> This was written initially written by ECA based on its understanding of the
>> code base. I then expanded it with links to the various documents and
>> the general coding style.
>>
>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>
>> +## Security Policy
>> +You MUST NOT report potential security vulnerabilities in public trackers
>> +(like GitLab issues). Refer to `docs/system/security.rst` for the project's
>> +security stance. In brief:
>> +- **Virtualization Use Case**: (with KVM/HVF and specific machine types) is
>> +  the focus of security support.
>> +- **Non-virtualization Use Case**: (TCG) does not currently provide guest
>> +  isolation guarantees.
>> +- **Reporting**: Report vulnerabilities privately to `qemu-security@nongnu.org`.
>
> I feel like the important thing we want to point out to agents is
> that not all "this crashes / asserts / overruns a buffer" bugs
> are security issues. As it stands I feel like this text is
> going to steer them pretty strongly towards throwing anything
> and everything at qemu-security@, including bugs which we
> don't consider security issues. What we want ideally is to
> give instructions that will make the LLM itself do the
> initial "is this covered by the security policy" triage.

I think for that we should augment the triage skill itself.

>
> thanks
> -- PMM

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro