On Mon, Apr 28, 2014 at 09:00:40PM +0000, Liguori, Anthony wrote: > I think this is a bit overkill. Hmm to clarify, this forces people to send info about 0 day exploits over the internet in cleartext.
What do we get in return for sacrificing the privacy? A small convenience of not typing in 3 addresses? > Many projects use private mailing lists for this purpose. True that some others do this but frankly I don't understand it. Maybe this tradeoff starts to make sense if the list of subscribers is large? > > Regards, > > Anthony Liguori > > ________________________________________ > From: Michael S. Tsirkin [m...@redhat.com] > Sent: Monday, April 28, 2014 10:53 AM > To: Liguori, Anthony > Cc: Peter Maydell; Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas > Färber > Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible > disclosure > > On Mon, Apr 28, 2014 at 05:35:38PM +0300, Michael S. Tsirkin wrote: > > I'll play around once I get the password. > > From what I've seen so far, > > I'm not sure it's the right server to use for security :( > > I did some more reseach and savannah does not seem to support any > encryption for its lists: neither TLS nor PGP. > > This would mean that all communication has to be in the clear. > > I think that for this use, we would be better off with an option that > can guarantee a measure of privacy. For now simply listing specific > addresses and GPG keys looks like the only way. > > Makes sense? > I would really like us to get an agreement on this so we can start > making progress on harder issues such as agreeing on a security policy. > > > > The list now appears here > > https://lists.nongnu.org/mailman/listinfo > > under the heading "Below is a listing of all the public mailing lists on > > lists.nongnu.org." > > The list page https://lists.nongnu.org/mailman/listinfo/qemu-security > > also seems to even have a link to public archives - it's not live > > but its presence might scare people away. > > > > We definitely do not want this list to be public - it's so people who want > > to do > > the responsible disclosure process can get some response and possibly > > help. > > > > If someone just wants to go public there's always qemu-devel. > > > > I guess we can configure it to actually be non-public, but hiding > > information seems unlikely to be one of savannah's strong points. > > I know if I was asked to post sensitive information to such > > a list I would hesitate, which isn't the effect we are trying to > > achieve here. > > > > > > On Mon, Apr 28, 2014 at 01:57:26PM +0000, Liguori, Anthony wrote: > > > https://lists.nongnu.org/mailman/admin/qemu-security > > > > > > Has been created but it will take 24-48 hours for Savannah to do it's > > > thing. I'll send out the mailing list password to Michael and Peter once > > > it is created. > > > > > > Regards, > > > > > > Anthony Liguori > > > > > > ________________________________________ > > > From: Michael S. Tsirkin [m...@redhat.com] > > > Sent: Monday, April 28, 2014 6:39 AM > > > To: Peter Maydell > > > Cc: Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber; > > > Liguori, Anthony > > > Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible > > > disclosure > > > > > > On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote: > > > > On 17 April 2014 19:54, Michael S. Tsirkin <m...@redhat.com> wrote: > > > > > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote: > > > > >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin > > > > >> <m...@redhat.com> wrote: > > > > >> > People sometimes detect security issues in upstream > > > > >> > QEMU and don't know where to report them in a non-public way. > > > > >> > Of course whoever just wants full disclosure can just go public, > > > > >> > but there's nothing specified for non-public - until recently > > > > >> > Anthony > > > > >> > was doing this informally. > > > > >> > > > > > >> > As I started doing this recently anyway, I can handle this on the > > > > >> > QEMU side > > > > >> > in a more formal way. > > > > >> > > > > > >> > Adding a secalert mailing list as well - they are the ones who is > > > > >> > actually > > > > >> > opening CVEs, communicating issues to all downstreams etc, > > > > >> > and they are already handling this for upstream, not just Red Hat. > > > > >> > > > > > >> > Keeping Anthony's address around in case he wants to be informed. > > > > >> > > > > > >> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > > > > >> > > > > >> What about using qemu-secur...@nongnu.org and creating that as a > > > > >> moderated mailing list with no public archive? > > > > >> > > > > >> That way there's a single contact point and there can be many people > > > > >> backing it up to make sure that disclosures are handled very quickly. > > > > > > > > > > > > > > Also I'd like a more explicit name, we don't want general > > > > > security related discussions on that list. > > > > > qemu-secal...@nongnu.org > > > > > ? > > > > > > > > OK, so do we want to: > > > > (a) commit this patch as-is > > > > (b) set up the proposed mailing list? > > > > > > > > If (b), who has the admin rights to do that? > > > > > > > > I don't feel strongly either way. > > > > > > > > thanks > > > > -- PMM > > > > > > Way I see it, as long as it has the same people, it probably doesn't > > > matter :) > > > We can get around to creating a list if/when more people > > > volunteer. > > > > > > I also think we want people to have the option to communicate with pgp. > > > > > > Some searches I found mailman patches for pgp support: > > > http://non-gnu.uvt.nl/mailman-pgp-smime/ > > > > > > but without that, we really need to list individual people for now. > > > > > > -- > > > MST
