On Tue, May 19, 2026 at 03:26:51PM +0100, Daniel P. Berrangé wrote: > This needs an issue tracker to cope with & email is not an issue tracker. > We faked an issue tracker with a shared spreadsheet to prevent us drowning > these past few months, but this is still not sustainable & probably won't > ever be.
snip > We have some options IMHO > > 1. Move all security disclosure to GitLab confidential issues > no disclosures via email > > 2. Move AI/fuzzer assisted disclosures to GitLab confidential > issues, keep human discovered issues on qemu-security list > > 3. Move AI/fuzzer assisted disclosures to GitLab public > issues, keep human discovered issues on qemu-security list snip > Some downsides/implications > > * Every disclosure in a confidential issue will be visible to every > maintainer who has joined the qemu-project repo on GitLab. IOW > that is treating every maintainer as equally trusted. > > We do have qemu-security though we could be mailed if someone > considered their disclosure to be severely impactful but the triage > team can't make that decision. > > * We must NOT grant membership to qemu-project at a Reporter level > for anyone whom is not an active maintainer. They must be limited > to the "Guest" role at most. I did a query $ glab api --paginate /projects/11167699/members/all | jq '.[].name' | sort > members.txt $ IFS=" " ; for line in $(cat members.txt | sed -e 's/"//g' ) ; do echo -n "$line: " ; grep $line MAINTAINERS | wc -l ; done | grep ': 0' Of the results without a match as a maintainer I see * Qemu Janitor * stsquad-gitlab-api-access Bot accounts * dgibson * Hanna Czenczek * MST False negatives - just name mismatches between gitlab account and MAINTAINERS files * Eduardo Habkost * Juan Quintela Former maintainers, no longer active in QEMU AFAIK * Peter Krempa * Peter Krempa (work) Libvirt maintainer, added to enable to move bugs between projects * Anthony Roberts * Bastian Koppelmann * Emilio Cota * Jim MacArthur * Joaquin de Andres * Paul Zimmerman At least 1 code commit, but not maintainers * Eldon Provided us some CI hardware for a period of time * Aihua Liang * Lars D Unclear The former maintainers can probably be removed at this point, given the length of time that's passed. If we want to use "Confidential" issues in any way, the question is whether the rest of the non-maintainers / non-bot accounts should retain "Reporter" role or be moved to "Guest" role ? Some contributors may be active enough that they're effectively maintainers, even if not listed in MAINTAINERS. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
