Re: [Qemu-devel] QEMU's CVE Procedures

On Tue, Jun 09, 2015 at 09:30:11AM +0800, Gonglei wrote: > On 2015/6/8 21:07, Daniel P. Berrange wrote: > > On Mon, Jun 08, 2015 at 08:44:25PM +0800, Gonglei wrote: > >> On 2015/6/6 6:16, John Snow wrote: > >>> (6) What about qemu-stable? > >>> > >>> Our stable process is somewhat lacking with resp

Re: [Qemu-devel] QEMU's CVE Procedures

On 2015/6/8 21:07, Daniel P. Berrange wrote: > On Mon, Jun 08, 2015 at 08:44:25PM +0800, Gonglei wrote: >> On 2015/6/6 6:16, John Snow wrote: >>> (6) What about qemu-stable? >>> >>> Our stable process is somewhat lacking with respect to the CVE >>> process. It is good that we occasionally publish s

Re: [Qemu-devel] QEMU's CVE Procedures

On 5 June 2015 at 23:16, John Snow wrote: > Prompted by the recent CVE-2015-3456 ("VENOM") issue, it seems to me > that our CVE handling procedure is a little more ad-hoc than it should > reasonably be. This is not the first attempt to help rectify our CVE > process -- see Peter Maydell's 2.3 post

Re: [Qemu-devel] QEMU's CVE Procedures

On Mon, Jun 08, 2015 at 08:44:25PM +0800, Gonglei wrote: > On 2015/6/6 6:16, John Snow wrote: > > (6) What about qemu-stable? > > > > Our stable process is somewhat lacking with respect to the CVE > > process. It is good that we occasionally publish stable fix roundups > > that downstream maintain

Re: [Qemu-devel] QEMU's CVE Procedures

On 2015/6/6 6:16, John Snow wrote: > (6) What about qemu-stable? > > Our stable process is somewhat lacking with respect to the CVE > process. It is good that we occasionally publish stable fix roundups > that downstream maintainers can base their work off of, but it would > be good to have a bran

Re: [Qemu-devel] QEMU's CVE Procedures

On Fri, 5 Jun 2015, John Snow wrote: > - Topal: Output generated on Mon Jun 8 11:48:03 BST 2015 > - Topal: GPG output starts - > gpg: Signature made Fri 05 Jun 2015 23:16:30 BST using RSA key ID AAFC390E > gpg: Can't check signature: public key not found > - Topal: GPG output ends

Re: [Qemu-devel] QEMU's CVE Procedures

On Fri, Jun 05, 2015 at 06:16:30PM -0400, John Snow wrote: > Anyway, my apologies for the wall of text. I wanted to take this > opportunity post-venom to ask some questions to the list to see if the > interest is there in revamping our CVE policy which is in need of, at > the very least, some clari

[Qemu-devel] QEMU's CVE Procedures

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, everyone: ("Oh no, what monolith did John type up this time? /Golly Dang He's really giving Markus a run for his money/") Prompted by the recent CVE-2015-3456 ("VENOM") issue, it seems to me that our CVE handling procedure is a little more ad-h