On Fri, Sep 11, 2020 at 04:51:49PM +0100, Peter Maydell wrote: > On Fri, 11 Sep 2020 at 15:22, P J P <ppan...@redhat.com> wrote: > > Proposal: (to address above limitations) > > ========= > > > > * We set up a new 'qemu-security' mailing list. > > > > * QEMU security issues are reported to this new list only. > > > > * Representatives from various communities subscribe to this list. (List > > maybe > > moderated in the beginning.) > > > > * As QEMU issues come in, participants on the 'qemu-security' list shall > > discuss and decide about how to triage them further. > > Way way back, the idea of a qemu-security list was proposed, and > it was decided against because there wasn't a clear way that > people could send encrypted mail to the security team if it > was just a mailing list. So that's why we have the "handful > of individual contacts" approach. Is that still something people > care about ? > > My question is, who decides who's on the qemu-security list? > Is this just "it's the same handful of contacts, but they > have a mailing list for convenience" ? It sounds like you > want it to be a larger grouping than that and maybe also > want to use it as a mechanism for informing downstream distros > etc about QEMU security issues, which is to say you're > proposing an overhaul and change to our security process, > not merely "we'd like to create a mailing list" ?
Yes, that is a reasonable description. Do we think the current QEMU security process is working well for the community as a whole in terms of our downstream consumers learning about security flaws in an appropriate timeframe and manner ? Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
