On Wed, Sep 16, 2020 at 01:33:38PM +0100, Peter Maydell wrote: > On Wed, 16 Sep 2020 at 12:10, Stefan Hajnoczi <stefa...@gmail.com> wrote: > > I think it's worth investigating whether GitLab Issues can be configured > > in a secure-enough way for security bug reporting. That way HTTPS is > > used and only GitLab stores the confidential information (this isn't > > end-to-end encryption but seems better than unencrypted SMTP and > > plaintext emails copied across machines). > > Given that we currently use launchpad for bugs we should also look > at whether launchpad's "private security" bug classification would > be useful for us (currently such bug reports effectively go to /dev/null > but this can be fixed).
Using a bug tracker has the notable advantage over direct email CC's that if the security triage team needs to pull in a domain specific expert, that newly added person can still see the full history of discussion on the bug. With individual email CC's, the previous discussions are essentially a information blackhole until the security triage team is good enough to forward the full discussion history (this essentially never happens in IME). Mailing list also has that easy archive access benefit. Is it possible to setup people to be able to view launchpad private bugs, without also making them full admins for the QEMU launchpad project ? Does launchpad still send clear text email notifications to the permitted admins for private bugs ? I recall I used to get clear text emails for private bugs in the past for non-QEMU projects. This reduces the security benefits of launchpad compared to email, though it is still a clear win in terms of triage process most likely. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
