From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54730)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1YzoTi-0007ms-Hy
	for qemu-devel@nongnu.org; Tue, 02 Jun 2015 11:51:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1YzoTe-00019L-HD
	for qemu-devel@nongnu.org; Tue, 02 Jun 2015 11:51:46 -0400
Received: from mail-ig0-f175.google.com ([209.85.213.175]:37173)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1YzoTe-00019G-E8
	for qemu-devel@nongnu.org; Tue, 02 Jun 2015 11:51:42 -0400
Received: by igbsb11 with SMTP id sb11so91313329igb.0
	for <qemu-devel@nongnu.org>; Tue, 02 Jun 2015 08:51:41 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.02.1506021630170.19838@kaball.uk.xensource.com>
References: <alpine.DEB.2.02.1506021608160.19838@kaball.uk.xensource.com>
	<alpine.DEB.2.02.1506021630170.19838@kaball.uk.xensource.com>
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 2 Jun 2015 16:51:21 +0100
Message-ID: <CAFEAcA9stcCU-q_8inq8zxkdS7o6vP8s-n0u93St_r_oceCcvw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] [PATCH 0/11] Xen PCI Passthrough security fixes
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com Devel" <xen-devel@lists.xensource.com>, QEMU Developers <qemu-devel@nongnu.org>, JBeulich@suse.com

On 2 June 2015 at 16:32, Stefano Stabellini
<stefano.stabellini@eu.citrix.com> wrote:
> On Tue, 2 Jun 2015, Stefano Stabellini wrote:
>> Hi all,
>>
>> the following is a collection of QEMU security fixes for PCI Passthrough
>> on Xen. Non-Xen usages of QEMU are unaffected.
>>
>> Although the CVEs have already been made public, given the large amount
>> of changes, I decided not to send a pull request without giving a chance
>> to the QEMU community to comment on the patches first.
>
> Peter convinced me to send out a pull request immediately. If anybody
> has any comments on the patches, we can still fix them up later or even
> revert them if that becomes necessary.

For the record, the rationale is:
 * fixes for CVEs will have been reviewed during the nondisclosure period
 * getting security fixes into master in a timely fashion is important
 * having the patches in upstream master be different from the ones
   advertised with the CVE can cause confusion about which are "correct"
 * if there are any problems with the CVE fixes (stylistic or otherwise)
   we can correct them with followup patches

Our workflow/process for handling security issues is not set in
stone (indeed it's evolving a bit at the moment), so comments/suggestions
welcome.

thanks
-- PMM