I'll play around once I get the password. >From what I've seen so far, I'm not sure it's the right server to use for security :(
The list now appears here https://lists.nongnu.org/mailman/listinfo under the heading "Below is a listing of all the public mailing lists on lists.nongnu.org." The list page https://lists.nongnu.org/mailman/listinfo/qemu-security also seems to even have a link to public archives - it's not live but its presence might scare people away. We definitely do not want this list to be public - it's so people who want to do the responsible disclosure process can get some response and possibly help. If someone just wants to go public there's always qemu-devel. I guess we can configure it to actually be non-public, but hiding information seems unlikely to be one of savannah's strong points. I know if I was asked to post sensitive information to such a list I would hesitate, which isn't the effect we are trying to achieve here. On Mon, Apr 28, 2014 at 01:57:26PM +0000, Liguori, Anthony wrote: > https://lists.nongnu.org/mailman/admin/qemu-security > > Has been created but it will take 24-48 hours for Savannah to do it's thing. > I'll send out the mailing list password to Michael and Peter once it is > created. > > Regards, > > Anthony Liguori > > ________________________________________ > From: Michael S. Tsirkin [m...@redhat.com] > Sent: Monday, April 28, 2014 6:39 AM > To: Peter Maydell > Cc: Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber; Liguori, > Anthony > Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible > disclosure > > On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote: > > On 17 April 2014 19:54, Michael S. Tsirkin <m...@redhat.com> wrote: > > > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote: > > >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <m...@redhat.com> > > >> wrote: > > >> > People sometimes detect security issues in upstream > > >> > QEMU and don't know where to report them in a non-public way. > > >> > Of course whoever just wants full disclosure can just go public, > > >> > but there's nothing specified for non-public - until recently Anthony > > >> > was doing this informally. > > >> > > > >> > As I started doing this recently anyway, I can handle this on the QEMU > > >> > side > > >> > in a more formal way. > > >> > > > >> > Adding a secalert mailing list as well - they are the ones who is > > >> > actually > > >> > opening CVEs, communicating issues to all downstreams etc, > > >> > and they are already handling this for upstream, not just Red Hat. > > >> > > > >> > Keeping Anthony's address around in case he wants to be informed. > > >> > > > >> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > > >> > > >> What about using qemu-secur...@nongnu.org and creating that as a > > >> moderated mailing list with no public archive? > > >> > > >> That way there's a single contact point and there can be many people > > >> backing it up to make sure that disclosures are handled very quickly. > > > > > > > > Also I'd like a more explicit name, we don't want general > > > security related discussions on that list. > > > qemu-secal...@nongnu.org > > > ? > > > > OK, so do we want to: > > (a) commit this patch as-is > > (b) set up the proposed mailing list? > > > > If (b), who has the admin rights to do that? > > > > I don't feel strongly either way. > > > > thanks > > -- PMM > > Way I see it, as long as it has the same people, it probably doesn't matter :) > We can get around to creating a list if/when more people > volunteer. > > I also think we want people to have the option to communicate with pgp. > > Some searches I found mailman patches for pgp support: > http://non-gnu.uvt.nl/mailman-pgp-smime/ > > but without that, we really need to list individual people for now. > > -- > MST