[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosu
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure |
Date: |
Mon, 28 Apr 2014 14:24:45 +0100 |
On 17 April 2014 19:54, Michael S. Tsirkin <address@hidden> wrote:
> On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote:
>> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <address@hidden> wrote:
>> > People sometimes detect security issues in upstream
>> > QEMU and don't know where to report them in a non-public way.
>> > Of course whoever just wants full disclosure can just go public,
>> > but there's nothing specified for non-public - until recently Anthony
>> > was doing this informally.
>> >
>> > As I started doing this recently anyway, I can handle this on the QEMU side
>> > in a more formal way.
>> >
>> > Adding a secalert mailing list as well - they are the ones who is actually
>> > opening CVEs, communicating issues to all downstreams etc,
>> > and they are already handling this for upstream, not just Red Hat.
>> >
>> > Keeping Anthony's address around in case he wants to be informed.
>> >
>> > Signed-off-by: Michael S. Tsirkin <address@hidden>
>>
>> What about using address@hidden and creating that as a
>> moderated mailing list with no public archive?
>>
>> That way there's a single contact point and there can be many people
>> backing it up to make sure that disclosures are handled very quickly.
>
> Also I'd like a more explicit name, we don't want general
> security related discussions on that list.
> address@hidden
> ?
OK, so do we want to:
(a) commit this patch as-is
(b) set up the proposed mailing list?
If (b), who has the admin rights to do that?
I don't feel strongly either way.
thanks
-- PMM
- [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Andreas Färber, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Peter Maydell, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Anthony Liguori, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure,
Peter Maydell <=
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Liguori, Anthony, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Liguori, Anthony, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Markus Armbruster, 2014/04/29
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/29
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Daniel P. Berrange, 2014/04/28