[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] QEMU CII Best Practices record
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] QEMU CII Best Practices record |
|
Date: |
Mon, 23 Oct 2017 18:55:44 +0100 |
On 13 October 2017 at 14:25, Daniel P. Berrange <address@hidden> wrote:
> Many projects these days are recording progress wrt CII best practices
> for FLOOS projects. I filled out a record for QEMU:
>
> https://bestpractices.coreinfrastructure.org/projects/1309
>
> I only looked at the 'Passing' criteria, not considered the 'Silver' and
> 'Gold' criteria. So if anyone else wants to contribute, register an
> account there and tell me the username whereupon I can add you as a
> collaborator.
For the questions about "50% of bug reports must be acknowledged"
and ditto enhancement requests, did you mine the launchpad data
or are you just guessing? :-) Similarly for vulnerability report
response time.
I think you're fudging the test-policy questions in our favour a bit.
> - The release notes MUST identify every publicly known vulnerability
> that is fixed in each new release.
>
> I don't see a list of CVEs mentioned in our release Changelogs or
> indeed a historic list of CVEs anywhere even outside the release
> notes ?
Indeed I don't think we do this. I would say that as a project we
essentially push the job of rolling new releases for CVEs, informing
users about CVE fixes, etc, to our downstream distributors.
I suspect we only pass the "no vulns unpatched for more than 60 days"
if you allow "patched in bleeding edge master and in distros
but not in any upstream release" to count.
thanks
-- PMM