Hi Prasad, A couple questions: * I'm guessing this will be a closed list with some application/vetting procedure for the participants? (Maybe this is what you mean by "moderated" ?) * How will the communication be encrypted? * Will secalert still be subscribed (for managing CVE ID assignments)? * Assuming PGP will be gone, will it be possible to make the "This bug is a security vulnerability" button work on Launchpad? Thanks! -Alex
On 200911 1950, P J P wrote: > Hello all, > > Recently while conversing with DanPB this point came up > > -> https://www.qemu.org/contribute/security-process/ > > * Currently QEMU security team is a handful of individual contacts which > restricts community participation in dealing with these issues. > > * The Onus also lies with the individuals to inform the community about QEMU > security issues, as they come in. > > > Proposal: (to address above limitations) > ========= > > * We set up a new 'qemu-security' mailing list. > > * QEMU security issues are reported to this new list only. > > * Representatives from various communities subscribe to this list. (List maybe > moderated in the beginning.) > > * As QEMU issues come in, participants on the 'qemu-security' list shall > discuss and decide about how to triage them further. > > Please kindly let us know your views about it. I'd appreciate if you have > any suggestions/inputs/comments about the same. > > > Thank you. > -- > Prasad J Pandit / Red Hat Product Security Team > 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D > >
