This is a brief writeup of what we discussed at the QEMU Summit 2014
at KVM Forum last week. Unfortunately I didn't have the presence of
mind to request that anybody took notes, so this is based on my
memory and on the agenda we sent out, and may contain errors. Please
feel free to correct me if I got something wrong or completely forgot
anything...
* discussion of the state of qemu-project.org infrastructure
(security, backups, maintenance, etc); we're currently admining
our own VM for this, but it would be better to have a less
ad-hoc sysadmin. Stefan H is going to talk to OSU (who host
the VM for us) about also taking on its admin.
* Software Conservancy application status
We agreed last year that we wanted QEMU to join the Software
Conservancy. The application process stalled as a result of
Anthony Liguori's retirement from the project, but there are
no blockers to continuing and everybody agreed it was still a
good plan, so I'm going to pick this up and move it forward.
* patch review, processes for not dropping patches on the floor
+ feels to me like we have a persistent problem with unmaintained
and less-maintained areas of the codebase
+ -trivial has helped for the very easy stuff
+ maybe we should try to come up with an automated system for
at least identifying reviewed patches that would otherwise
get lost? There was discussion of a web 'dashboard' Benoit (?)
had put together based on Anthony's 'patches' tool.
+ My personal hope is that we can come up with some better
tooling that allows a wider group of people to effectively
apply occasional time and attention
+ improving coverage of MAINTAINERS where files really do have
an owner (you'll have seen a flurry of patches for this)
* We also talked about encouraging people to step up as
submaintainers or co-submaintainers for undermaintained areas
of the tree. In particular I think Mark Cave-Ayland has done
a good job in taking over handling of target-sparc over the
last six months or so, and hopefully Leon Alrae will be willing
to do similar with target-mips.
* Security process: we discussed our security advisory/disclosure
handling process in the light of a few recent CVEs. There didn't
seem to me to be a clear consensus here, except that (a) our
current approach [which could be roughly summarised as "delegate
to the RedHat security team"] is at least not fatally flawed and
(b) we don't have the resources for a full blown heavyweight
process such as that used by the Xen project.
thanks
-- PMM
