On 17 April 2014 19:54, Michael S. Tsirkin <m...@redhat.com> wrote: > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote: >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <m...@redhat.com> wrote: >> > People sometimes detect security issues in upstream >> > QEMU and don't know where to report them in a non-public way. >> > Of course whoever just wants full disclosure can just go public, >> > but there's nothing specified for non-public - until recently Anthony >> > was doing this informally. >> > >> > As I started doing this recently anyway, I can handle this on the QEMU side >> > in a more formal way. >> > >> > Adding a secalert mailing list as well - they are the ones who is actually >> > opening CVEs, communicating issues to all downstreams etc, >> > and they are already handling this for upstream, not just Red Hat. >> > >> > Keeping Anthony's address around in case he wants to be informed. >> > >> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> >> >> What about using qemu-secur...@nongnu.org and creating that as a >> moderated mailing list with no public archive? >> >> That way there's a single contact point and there can be many people >> backing it up to make sure that disclosures are handled very quickly.
> > Also I'd like a more explicit name, we don't want general > security related discussions on that list. > qemu-secal...@nongnu.org > ? OK, so do we want to: (a) commit this patch as-is (b) set up the proposed mailing list? If (b), who has the admin rights to do that? I don't feel strongly either way. thanks -- PMM
