On 17 April 2014 14:54, Michael S. Tsirkin <m...@redhat.com> wrote: > People sometimes detect security issues in upstream > QEMU and don't know where to report them in a non-public way. > Of course whoever just wants full disclosure can just go public, > but there's nothing specified for non-public - until recently Anthony > was doing this informally. > > As I started doing this recently anyway, I can handle this on the QEMU side > in a more formal way. > > Adding a secalert mailing list as well - they are the ones who is actually > opening CVEs, communicating issues to all downstreams etc, > and they are already handling this for upstream, not just Red Hat. > > Keeping Anthony's address around in case he wants to be informed.
This makes sense to me -- as I understand it we've always informally leaned on the Red Hat security apparatus, so having it written down somewhere so people know who they ought to inform seems like a good idea to me. We can also write something up on the wiki at some point. It might be worth discussing what our general process for security fixes is -- in the past we've had both: * fix is quietly committed to git and then announced/posted on the mailing list * fix gets a CVE and patches are posted to the list but not necessarily committed to git > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > --- > MAINTAINERS | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/MAINTAINERS b/MAINTAINERS > index 34b8c3f..713546f 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -52,6 +52,12 @@ General Project Administration > ------------------------------ > M: Anthony Liguori <aligu...@amazon.com> > > +Responsible Disclosure, Reporting Security Issues > +------------------------------ > +M: Michael S. Tsirkin <m...@redhat.com> > +M: Anthony Liguori <aligu...@amazon.com> > +L: secal...@redhat.com If our process is going to involve direct-commit-of-fixes then we probably need more than one committer listed here to over for holidays/etc. thanks -- PMM
