Hi,
I had an idea I wanted to share and see what level of interest there was
in participating and if anyone knows of a process that other projects
follow for this.
I'd like to start a more formal and transparent security audit of QEMU.
The way I'd imagine it working is something like this:
1) People volunteer to be part of the audit team
2) Two people walk through a particular piece of code and independently
flag anything that looks like a potential security issue.
3) Two people independently review everything that's flagged to see if
there's a security issue.
Step (3) is something that requires a fairly deep understanding of QEMU
but step (2) is probably something that a lot of people could
participate in.
I'd want to focus initially on the common PC devices. The list isn't all
that large and a review like this should only take a few hours to
complete each step.
Would folks be interested in participating in something like this? If
so, I can start organizing it.
Regards,
Anthony Liguori