The QEMU project has just changed to use GitLab confidential issues for security disclosures.
https://www.qemu.org/contribute/security-process/ While libvirt isn't (yet) suffering the same massive AI powered bug tsunami, I'm not seeing an especially compelling reason to continue using email for security disclosures with such limited need-to-know practices. While using GitLab theoretically exposes us to greater risk of exposure via the GitLab's own staff / infra compromise, in practice they likely do a better job securing their infra than we do for our mailman install. Submissions are also guaranteed TLS protection which we can't so confidently assume for email. We don't tend to apply any long embargo times. Our maintainers are all trusted with commit access to libvirt.git, so from a trust POV I feel it acceptable to have scurity disclosures visible to all of them instead of restricted to a handful of maintainers. The security list has a handful of people from the distro present who in theory can watch it for early access to disclosures. I'm not sure if that makes a difference in practice though, especially with all the distros suffering an AI bug tsunami leading to greatly extended fix times. IOW, overall a lighter weight process using GitLab confidential issues feels like it should be sufficient for libvirt too. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
