On 2015/9/4 20:24, Peter Maydell wrote: > * Security process > * We've improved and documented our security process over the last > year or so, but it could still be improved. > * Big problem -- we fix CVEs on master, but we don't provide a stable > release with security fixes until the next time we would have > done a release anyway; this can mean we go for months without > any available stable release without known security issues. > * We could do a stable release immediately we have a CVE, but this > is obviously more work for our stable maintainer (Michael Roth). > We might get a few CVEs a cycle, though obviously it varies.
I have another proposal: If we fix CVEs on master, we'd better have a place (maybe www.qemu.org?) to describe which stable releases are influenced. In this way, the user can fix these CVEs easier according to the Qemu versions which they used. Meanwhile, it doesn't have strong requires that release another stable version. Regards, -Gonglei
