On 9/11/20 5:51 PM, Peter Maydell wrote: > On Fri, 11 Sep 2020 at 15:22, P J P <ppan...@redhat.com> wrote: >> Proposal: (to address above limitations) >> ========= >> >> * We set up a new 'qemu-security' mailing list. >> >> * QEMU security issues are reported to this new list only. >> >> * Representatives from various communities subscribe to this list. (List >> maybe >> moderated in the beginning.) >> >> * As QEMU issues come in, participants on the 'qemu-security' list shall >> discuss and decide about how to triage them further. > > Way way back, the idea of a qemu-security list was proposed, and > it was decided against because there wasn't a clear way that > people could send encrypted mail to the security team if it > was just a mailing list. So that's why we have the "handful > of individual contacts" approach. Is that still something people > care about ?
I don't think so, as I took care to encrypt a bug report and received the reply unencrypted =) Not sure this is the default although, as this was my unique experience following the security process.
