Re: About 'qemu-security' mailing list

[Alexander Bulekov]

Hi Prasad,
A couple questions:
 * I'm guessing this will be a closed list with some application/vetting
   procedure for the participants? (Maybe this is what you mean by
   "moderated" ?)
 * How will the communication be encrypted?
 * Will secalert still be subscribed (for managing CVE ID assignments)?
 * Assuming PGP will be gone, will it be possible to make the "This bug
   is a security vulnerability" button work on Launchpad?
Thanks!
-Alex

On 200911 1950, P J P wrote:
>   Hello all,
> 
> Recently while conversing with DanPB this point came up
> 
>    -> https://www.qemu.org/contribute/security-process/
> 
> * Currently QEMU security team is a handful of individual contacts which
>   restricts community participation in dealing with these issues.
> 
> * The Onus also lies with the individuals to inform the community about QEMU
>   security issues, as they come in.
> 
> 
> Proposal: (to address above limitations)
> =========
> 
> * We set up a new 'qemu-security' mailing list.
> 
> * QEMU security issues are reported to this new list only.
> 
> * Representatives from various communities subscribe to this list. (List maybe
>   moderated in the beginning.)
> 
> * As QEMU issues come in, participants on the 'qemu-security' list shall
>   discuss and decide about how to triage them further.
> 
> Please kindly let us know your views about it. I'd appreciate if you have
> any suggestions/inputs/comments about the same.
> 
> 
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
> 
>