On Fri, 11 Sep 2020 at 15:22, P J P <ppan...@redhat.com> wrote: > Proposal: (to address above limitations) > ========= > > * We set up a new 'qemu-security' mailing list. > > * QEMU security issues are reported to this new list only. > > * Representatives from various communities subscribe to this list. (List maybe > moderated in the beginning.) > > * As QEMU issues come in, participants on the 'qemu-security' list shall > discuss and decide about how to triage them further.
Way way back, the idea of a qemu-security list was proposed, and it was decided against because there wasn't a clear way that people could send encrypted mail to the security team if it was just a mailing list. So that's why we have the "handful of individual contacts" approach. Is that still something people care about ? My question is, who decides who's on the qemu-security list? Is this just "it's the same handful of contacts, but they have a mailing list for convenience" ? It sounds like you want it to be a larger grouping than that and maybe also want to use it as a mechanism for informing downstream distros etc about QEMU security issues, which is to say you're proposing an overhaul and change to our security process, not merely "we'd like to create a mailing list" ? thanks -- PMM
