Re: About 'qemu-security' mailing list

[P J P <ppandit@redhat.com>]

  Hello,

+-- On Fri, 11 Sep 2020, Peter Maydell wrote --+
| Way way back, the idea of a qemu-security list was proposed, and it was 
| decided against because there wasn't a clear way that people could send 
| encrypted mail to the security team if it was just a mailing list. So that's 
| why we have the "handful of individual contacts" approach. Is that still 
| something people care about ?

* So far issue reports have mostly been unencrypted.

* All issue reports may not need encryption.

* If someone still wants to send an encrypted report, few contacts with their 
  GPG keys could be made available, as is available now.


+-- On Mon, 14 Sep 2020, Stefan Hajnoczi wrote --+
| On Fri, Sep 11, 2020 at 04:51:49PM +0100, Peter Maydell wrote:
| > want it to be a larger grouping than that and maybe also want to use it as 
| > a mechanism for informing downstream distros etc about QEMU security 
| > issues, which is to say you're proposing an overhaul and change to our 
| > security process, not merely "we'd like to create a mailing list" ?
| 
| Yes, please discuss the reasons for wanting a mailing list:
| 
| Is the goal to involve more people in triaging CVEs in a timely manner?

  This will be welcome for fix patches.

| Is the goal to include new people who have recently asked to participate?

  We've not received such request yet.

| Is the goal to use an easier workflow than manually sending encrypted
| email to a handful of people?

* Current proposal is more for enabling communities and downstream distros to 
  know about the issues as and when they are reported. Ie. heads-up mechanism.

  Just to note, we've not received any request for such notifications.

* If maintainers are on this list, that could help with the triage and fix 
  patches.


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D