Hello, +-- On Fri, 11 Sep 2020, Peter Maydell wrote --+ | Way way back, the idea of a qemu-security list was proposed, and it was | decided against because there wasn't a clear way that people could send | encrypted mail to the security team if it was just a mailing list. So that's | why we have the "handful of individual contacts" approach. Is that still | something people care about ?
* So far issue reports have mostly been unencrypted. * All issue reports may not need encryption. * If someone still wants to send an encrypted report, few contacts with their GPG keys could be made available, as is available now. +-- On Mon, 14 Sep 2020, Stefan Hajnoczi wrote --+ | On Fri, Sep 11, 2020 at 04:51:49PM +0100, Peter Maydell wrote: | > want it to be a larger grouping than that and maybe also want to use it as | > a mechanism for informing downstream distros etc about QEMU security | > issues, which is to say you're proposing an overhaul and change to our | > security process, not merely "we'd like to create a mailing list" ? | | Yes, please discuss the reasons for wanting a mailing list: | | Is the goal to involve more people in triaging CVEs in a timely manner? This will be welcome for fix patches. | Is the goal to include new people who have recently asked to participate? We've not received such request yet. | Is the goal to use an easier workflow than manually sending encrypted | email to a handful of people? * Current proposal is more for enabling communities and downstream distros to know about the issues as and when they are reported. Ie. heads-up mechanism. Just to note, we've not received any request for such notifications. * If maintainers are on this list, that could help with the triage and fix patches. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
