From: P J P <ppandit@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: peter.maydell@linaro.org,
"Daniel P. Berrangé" <berrange@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>
Subject: Re: About 'qemu-security' mailing list
Date: Wed, 30 Sep 2020 17:16:05 +0530 (IST) [thread overview]
Message-ID: <nycvar.YSQ.7.78.906.2009301712150.699166@xnncv> (raw)
In-Reply-To: <nycvar.YSQ.7.78.906.2009181031500.10832@xnncv>
+-- On Fri, 18 Sep 2020, P J P wrote --+
| +-- On Wed, 16 Sep 2020, Stefan Hajnoczi wrote --+
| | Do downstream maintainers want to know about potential security bug reports
| | that have not been triaged yet?
| |
| | Maybe there should there be a pre-announce list for bugs that have been
| | triaged? That saves downstream from being spammed with confidential info
| | that they probably can't use.
|
| * I was thinking about that, an '-announce' list could be better. Because
| issue reports may come with reproducers (code/scripts/packet dump). And
| sharing such reproducers with wide-rs recipients seems risky, not right.
|
| * Such reproducers shall stay in the list archives forever. It may have some
| legal IP related concerns. I'm not sure.
...
|
| | Anyway, it's unclear to me what the motivation for creating a list and
| | changing the process is. Please share your goals and reasoning in more
| | detail.
|
| * Primary motivation is to address the concern that current process limits
| community participation.
|
| * Representatives from downstream QEMU user communities shall be notified
| about security issues as and when they come in.
|
| * These representatives then decide if an issue can be readily disclosed and
| discussed on the public 'qemu-devel' list OR needs to go through an embargo
| process.
|
|
| | I think it's worth investigating whether GitLab Issues can be configured in
| | a secure-enough way for security bug reporting. That way HTTPS is used and
| | only GitLab stores the confidential information (this isn't end-to-end
| | encryption but seems better than unencrypted SMTP and plaintext emails
| | copied across machines).
|
| +-- On Wed, 16 Sep 2020, Peter Maydell wrote --+
| | Given that we currently use launchpad for bugs we should also look at
| | whether launchpad's "private security" bug classification would be useful
| | for us (currently such bug reports effectively go to /dev/null but this can
| | be fixed).
|
|
| * Bug trackers would entail that reporters must have an account there. They
| may create account also, but if/when they become inactive, they'll continue
| to receive emails or have access to security bugs.
|
| A mailing list works more on invite-only basis that way.
|
| * Bug trackers may also face the current limitation of community participants
| not knowing about the issues as and when they come in.
|
| * So bug trackers need a way to send an email to a -announce/-security list,
| sans the reproducer code/scripts/packet dump etc. information.
|
| * Between LaunchPad and GitLab, I think GitLab is preferable.
Ping...!?
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
next prev parent reply other threads:[~2020-09-30 11:47 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-11 14:20 About 'qemu-security' mailing list P J P
2020-09-11 15:27 ` Li Qiang
2020-09-11 15:40 ` Alexander Bulekov
2020-09-11 15:58 ` Alexander Bulekov
2020-09-18 7:33 ` P J P
2020-09-11 15:47 ` Daniel P. Berrangé
2020-09-11 15:51 ` Peter Maydell
2020-09-14 7:38 ` Philippe Mathieu-Daudé
2020-09-14 10:17 ` Stefan Hajnoczi
2020-09-14 8:54 ` Daniel P. Berrangé
2020-09-14 9:30 ` Peter Maydell
2020-09-14 10:15 ` Stefan Hajnoczi
2020-09-15 10:48 ` P J P
2020-09-16 11:10 ` Stefan Hajnoczi
2020-09-16 12:33 ` Peter Maydell
2020-09-16 13:06 ` Daniel P. Berrangé
2020-09-16 13:25 ` Thomas Huth
2020-09-16 13:30 ` Daniel P. Berrangé
2020-09-18 7:02 ` P J P
2020-09-30 11:46 ` P J P [this message]
2020-09-30 15:48 ` Darren Kenny
2020-10-01 10:35 ` P J P
2020-10-01 11:34 ` Darren Kenny
2020-10-01 13:57 ` Konrad Rzeszutek Wilk
2020-10-01 18:17 ` P J P
2020-10-16 14:17 ` P J P
2020-10-20 14:08 ` P J P
2020-11-03 11:18 ` P J P
2020-11-17 14:46 ` Stefan Hajnoczi
2020-11-17 16:19 ` Stefan Hajnoczi
2020-11-17 16:35 ` Daniel P. Berrangé
2020-11-18 10:32 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YSQ.7.78.906.2009301712150.699166@xnncv \
--to=ppandit@redhat.com \
--cc=berrange@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).