On Mon, Apr 28, 2014 at 05:35:38PM +0300, Michael S. Tsirkin wrote: > I'll play around once I get the password. > From what I've seen so far, > I'm not sure it's the right server to use for security :(
I did some more reseach and savannah does not seem to support any encryption for its lists: neither TLS nor PGP. This would mean that all communication has to be in the clear. I think that for this use, we would be better off with an option that can guarantee a measure of privacy. For now simply listing specific addresses and GPG keys looks like the only way. Makes sense? I would really like us to get an agreement on this so we can start making progress on harder issues such as agreeing on a security policy. > The list now appears here > https://lists.nongnu.org/mailman/listinfo > under the heading "Below is a listing of all the public mailing lists on > lists.nongnu.org." > The list page https://lists.nongnu.org/mailman/listinfo/qemu-security > also seems to even have a link to public archives - it's not live > but its presence might scare people away. > > We definitely do not want this list to be public - it's so people who want to > do > the responsible disclosure process can get some response and possibly > help. > > If someone just wants to go public there's always qemu-devel. > > I guess we can configure it to actually be non-public, but hiding > information seems unlikely to be one of savannah's strong points. > I know if I was asked to post sensitive information to such > a list I would hesitate, which isn't the effect we are trying to > achieve here. > > > On Mon, Apr 28, 2014 at 01:57:26PM +0000, Liguori, Anthony wrote: > > https://lists.nongnu.org/mailman/admin/qemu-security > > > > Has been created but it will take 24-48 hours for Savannah to do it's > > thing. I'll send out the mailing list password to Michael and Peter once > > it is created. > > > > Regards, > > > > Anthony Liguori > > > > ________________________________________ > > From: Michael S. Tsirkin [m...@redhat.com] > > Sent: Monday, April 28, 2014 6:39 AM > > To: Peter Maydell > > Cc: Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber; Liguori, > > Anthony > > Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible > > disclosure > > > > On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote: > > > On 17 April 2014 19:54, Michael S. Tsirkin <m...@redhat.com> wrote: > > > > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote: > > > >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <m...@redhat.com> > > > >> wrote: > > > >> > People sometimes detect security issues in upstream > > > >> > QEMU and don't know where to report them in a non-public way. > > > >> > Of course whoever just wants full disclosure can just go public, > > > >> > but there's nothing specified for non-public - until recently Anthony > > > >> > was doing this informally. > > > >> > > > > >> > As I started doing this recently anyway, I can handle this on the > > > >> > QEMU side > > > >> > in a more formal way. > > > >> > > > > >> > Adding a secalert mailing list as well - they are the ones who is > > > >> > actually > > > >> > opening CVEs, communicating issues to all downstreams etc, > > > >> > and they are already handling this for upstream, not just Red Hat. > > > >> > > > > >> > Keeping Anthony's address around in case he wants to be informed. > > > >> > > > > >> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > > > >> > > > >> What about using qemu-secur...@nongnu.org and creating that as a > > > >> moderated mailing list with no public archive? > > > >> > > > >> That way there's a single contact point and there can be many people > > > >> backing it up to make sure that disclosures are handled very quickly. > > > > > > > > > > > Also I'd like a more explicit name, we don't want general > > > > security related discussions on that list. > > > > qemu-secal...@nongnu.org > > > > ? > > > > > > OK, so do we want to: > > > (a) commit this patch as-is > > > (b) set up the proposed mailing list? > > > > > > If (b), who has the admin rights to do that? > > > > > > I don't feel strongly either way. > > > > > > thanks > > > -- PMM > > > > Way I see it, as long as it has the same people, it probably doesn't matter > > :) > > We can get around to creating a list if/when more people > > volunteer. > > > > I also think we want people to have the option to communicate with pgp. > > > > Some searches I found mailman patches for pgp support: > > http://non-gnu.uvt.nl/mailman-pgp-smime/ > > > > but without that, we really need to list individual people for now. > > > > -- > > MST