+-- On Thu, 1 Oct 2020, Darren Kenny wrote --+ | The storage of reproducers would indeed be good to have in something | like Gitlab - but that'd require someone to extract it and store it, but | under what naming would be another issue... But really that's behind the | scenes.
Yes. | > Maybe we could start with a moderated list and improvise as we go forward? | | I really think that encryption of the details of a vulnerability is | important, if somehow it gets intercepted - which is not that difficult with | e-mail - then there is the potential for a malicious party to exploit it | before a fix is available to distros, and deployed. Encrypted list, open to receive non-encrypted reports seems okay. Will have to check how to set it up and its workflow. | Something that has happened since the Intel Spectre/Meltdown vulnerabilities | were initially brought to light is more communication between security teams | in various orgs. To do this those discussions have started being done on | Keybase, which provides secure chats as well as secured Git repos. | | Has anything like that being considered as the point for subsequent | discussions on issues post the initial disclosure? That has not come up for QEMU issues yet. Maybe we could consider it in future if required. +-- On Thu, 1 Oct 2020, Konrad Rzeszutek Wilk wrote --+ | The problem with Keybase was how to review patches. Now if they had a | encrypted mailing list as part of their Git repos that would be awesome. | (Trying to find a "Feature request" but not having much luck :-() True. Email + PGP/GPG has been around for so many years, yet there is no seamless combination of the two. :( Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
