On 16/09/2020 15.06, Daniel P. Berrangé wrote: > On Wed, Sep 16, 2020 at 01:33:38PM +0100, Peter Maydell wrote: >> On Wed, 16 Sep 2020 at 12:10, Stefan Hajnoczi <stefa...@gmail.com> wrote: >>> I think it's worth investigating whether GitLab Issues can be configured >>> in a secure-enough way for security bug reporting. That way HTTPS is >>> used and only GitLab stores the confidential information (this isn't >>> end-to-end encryption but seems better than unencrypted SMTP and >>> plaintext emails copied across machines). >> >> Given that we currently use launchpad for bugs we should also look >> at whether launchpad's "private security" bug classification would >> be useful for us (currently such bug reports effectively go to /dev/null >> but this can be fixed).
I've somehow managed to subscribe myself to our private LP bugs, so I get notified if there is a new one. > Using a bug tracker has the notable advantage over direct email CC's > that if the security triage team needs to pull in a domain specific > expert, that newly added person can still see the full history of > discussion on the bug. > > With individual email CC's, the previous discussions are essentially > a information blackhole until the security triage team is good enough > to forward the full discussion history (this essentially never happens > in IME). Mailing list also has that easy archive access benefit. > > Is it possible to setup people to be able to view launchpad private > bugs, without also making them full admins for the QEMU launchpad > project ? Honestly, I'd rather like use to move to the gitlab bug tracker instead of extending our use of the launchpad tracker. LP is IMHO a really ugly bug tracking tool. > Does launchpad still send clear text email notifications to the > permitted admins for private bugs ? I recall I used to get clear > text emails for private bugs in the past for non-QEMU projects. IIRC, yes, the email notifications for the private bugs are still send without encryption. Thomas
