On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote: > On 17 April 2014 19:54, Michael S. Tsirkin <m...@redhat.com> wrote: > > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote: > >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <m...@redhat.com> > >> wrote: > >> > People sometimes detect security issues in upstream > >> > QEMU and don't know where to report them in a non-public way. > >> > Of course whoever just wants full disclosure can just go public, > >> > but there's nothing specified for non-public - until recently Anthony > >> > was doing this informally. > >> > > >> > As I started doing this recently anyway, I can handle this on the QEMU > >> > side > >> > in a more formal way. > >> > > >> > Adding a secalert mailing list as well - they are the ones who is > >> > actually > >> > opening CVEs, communicating issues to all downstreams etc, > >> > and they are already handling this for upstream, not just Red Hat. > >> > > >> > Keeping Anthony's address around in case he wants to be informed. > >> > > >> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > >> > >> What about using qemu-secur...@nongnu.org and creating that as a > >> moderated mailing list with no public archive? > >> > >> That way there's a single contact point and there can be many people > >> backing it up to make sure that disclosures are handled very quickly. > > > > > Also I'd like a more explicit name, we don't want general > > security related discussions on that list. > > qemu-secal...@nongnu.org > > ? > > OK, so do we want to: > (a) commit this patch as-is > (b) set up the proposed mailing list? > > If (b), who has the admin rights to do that? > > I don't feel strongly either way. > > thanks > -- PMM
Way I see it, as long as it has the same people, it probably doesn't matter :) We can get around to creating a list if/when more people volunteer. I also think we want people to have the option to communicate with pgp. Some searches I found mailman patches for pgp support: http://non-gnu.uvt.nl/mailman-pgp-smime/ but without that, we really need to list individual people for now. -- MST