[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosu
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure |
Date: |
Thu, 17 Apr 2014 15:03:48 +0100 |
On 17 April 2014 14:54, Michael S. Tsirkin <address@hidden> wrote:
> People sometimes detect security issues in upstream
> QEMU and don't know where to report them in a non-public way.
> Of course whoever just wants full disclosure can just go public,
> but there's nothing specified for non-public - until recently Anthony
> was doing this informally.
>
> As I started doing this recently anyway, I can handle this on the QEMU side
> in a more formal way.
>
> Adding a secalert mailing list as well - they are the ones who is actually
> opening CVEs, communicating issues to all downstreams etc,
> and they are already handling this for upstream, not just Red Hat.
>
> Keeping Anthony's address around in case he wants to be informed.
This makes sense to me -- as I understand it we've always informally
leaned on the Red Hat security apparatus, so having it written down
somewhere so people know who they ought to inform seems like a
good idea to me.
We can also write something up on the wiki at some point.
It might be worth discussing what our general process for
security fixes is -- in the past we've had both:
* fix is quietly committed to git and then announced/posted on
the mailing list
* fix gets a CVE and patches are posted to the list but not
necessarily committed to git
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
> MAINTAINERS | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 34b8c3f..713546f 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -52,6 +52,12 @@ General Project Administration
> ------------------------------
> M: Anthony Liguori <address@hidden>
>
> +Responsible Disclosure, Reporting Security Issues
> +------------------------------
> +M: Michael S. Tsirkin <address@hidden>
> +M: Anthony Liguori <address@hidden>
> +L: address@hidden
If our process is going to involve direct-commit-of-fixes
then we probably need more than one committer listed here
to over for holidays/etc.
thanks
-- PMM
- [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Andreas Färber, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure,
Peter Maydell <=
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Anthony Liguori, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/17
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Peter Maydell, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Liguori, Anthony, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Michael S. Tsirkin, 2014/04/28
- Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure, Liguori, Anthony, 2014/04/28