From: P J P <ppandit@redhat.com>
To: Darren Kenny <darren.kenny@oracle.com>
Cc: "Stefan Hajnoczi" <stefanha@gmail.com>,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
peter.maydell@linaro.org
Subject: Re: About 'qemu-security' mailing list
Date: Fri, 16 Oct 2020 19:47:01 +0530 (IST) [thread overview]
Message-ID: <nycvar.YSQ.7.78.906.2010161910530.1246156@xnncv> (raw)
In-Reply-To: <nycvar.YSQ.7.78.906.2010012320290.830962@xnncv>
Hello Darren, all
+-- On Thu, 1 Oct 2020, Darren Kenny wrote --+
| On Thursday, 2020-10-01 at 16:05:58 +0530, P J P wrote:
| > - A list member triaging such issue, would have to select their individual
| > keys for each reply.
|
| Maybe, honestly not had to deal with it personally.
"Ideally, encrypt all of your messages to their (possibly multiple)
recipients. This means that you need not only the list's public key, but
also keys for the reporter and for anyone else CC'ed. You may exercise your
best effort to obtain such keys (from keyservers, by asking in the thread in
plaintext without quoting any sensitive content, etc.), or failing that you
may fallback to plaintext, in which case you should refrain from quoting
(and adding) non-essential sensitive content. For example, if you merely
want the reporter to agree to or specify a public disclosure date, then you
may send a plaintext message back to them with this request and nothing else
(most importantly, do not quote their original report)."
-> https://oss-security.openwall.org/wiki/mailing-lists/distros
* Found above text for encrypted email workflow to communicate with non-member
reporters.
+-- On Thu, 1 Oct 2020, P J P wrote --+
| Encrypted list, open to receive non-encrypted reports seems okay. Will have
| to check how to set it up and its workflow.
* I reached out to '@solardiz' to check if the back end scripts/tools which
power automatic encryption on '-distros' list are available as open source
tools.
Unfortunately not.
* As his suggestions/inputs for a list, he said:
>On Friday, 9 October, 2020, 12:15:37 am IST, Solar Designer wrote:
>
> my biggest concern is that issues discussed there or reproducers for them
> might stay unpublished for very long, and would be a lucrative target.
> I think a more important than encryption property of the distros list is
> that we impose a maximum embargo time, and have requirements on
> publication of exploits too if those were provided.
>
* So ie. we need to:
1. Create/setup a regular non-encrypted 'qemu-security' list.
2. Invite representatives from user/downstream communities to subscribe to
it.
3. Collect & store their PGP public keys. Also create a key for the list.
4. Write 'encrypt & email' automation tool(s) to provide encryption support.
5. Document and publish above details and list workflow on a page.
...wdyt?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
next prev parent reply other threads:[~2020-10-16 14:18 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-11 14:20 About 'qemu-security' mailing list P J P
2020-09-11 15:27 ` Li Qiang
2020-09-11 15:40 ` Alexander Bulekov
2020-09-11 15:58 ` Alexander Bulekov
2020-09-18 7:33 ` P J P
2020-09-11 15:47 ` Daniel P. Berrangé
2020-09-11 15:51 ` Peter Maydell
2020-09-14 7:38 ` Philippe Mathieu-Daudé
2020-09-14 10:17 ` Stefan Hajnoczi
2020-09-14 8:54 ` Daniel P. Berrangé
2020-09-14 9:30 ` Peter Maydell
2020-09-14 10:15 ` Stefan Hajnoczi
2020-09-15 10:48 ` P J P
2020-09-16 11:10 ` Stefan Hajnoczi
2020-09-16 12:33 ` Peter Maydell
2020-09-16 13:06 ` Daniel P. Berrangé
2020-09-16 13:25 ` Thomas Huth
2020-09-16 13:30 ` Daniel P. Berrangé
2020-09-18 7:02 ` P J P
2020-09-30 11:46 ` P J P
2020-09-30 15:48 ` Darren Kenny
2020-10-01 10:35 ` P J P
2020-10-01 11:34 ` Darren Kenny
2020-10-01 13:57 ` Konrad Rzeszutek Wilk
2020-10-01 18:17 ` P J P
2020-10-16 14:17 ` P J P [this message]
2020-10-20 14:08 ` P J P
2020-11-03 11:18 ` P J P
2020-11-17 14:46 ` Stefan Hajnoczi
2020-11-17 16:19 ` Stefan Hajnoczi
2020-11-17 16:35 ` Daniel P. Berrangé
2020-11-18 10:32 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YSQ.7.78.906.2010161910530.1246156@xnncv \
--to=ppandit@redhat.com \
--cc=berrange@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).