Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure

[Michael S. Tsirkin]

I'll play around once I get the password.
>From what I've seen so far,
I'm not sure it's the right server to use for security :(

The list now appears here
https://lists.nongnu.org/mailman/listinfo
under the heading "Below is a listing of all the public mailing lists on
lists.nongnu.org."
The list page https://lists.nongnu.org/mailman/listinfo/qemu-security
also seems to even have a link to public archives - it's not live
but its presence might scare people away.

We definitely do not want this list to be public - it's so people who want to do
the responsible disclosure process can get some response and possibly
help.

If someone just wants to go public there's always qemu-devel.

I guess we can configure it to actually be non-public, but hiding
information seems unlikely to be one of savannah's strong points.
I know if I was asked to post sensitive information to such
a list I would hesitate, which isn't the effect we are trying to
achieve here.


On Mon, Apr 28, 2014 at 01:57:26PM +0000, Liguori, Anthony wrote:
> https://lists.nongnu.org/mailman/admin/qemu-security
> 
> Has been created but it will take 24-48 hours for Savannah to do it's thing.  
> I'll send out the mailing list password to Michael and Peter once it is 
> created.
> 
> Regards,
> 
> Anthony Liguori
> 
> ________________________________________
> From: Michael S. Tsirkin address@hidden
> Sent: Monday, April 28, 2014 6:39 AM
> To: Peter Maydell
> Cc: Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber; Liguori, 
> Anthony
> Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible 
> disclosure
> 
> On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote:
> > On 17 April 2014 19:54, Michael S. Tsirkin <address@hidden> wrote:
> > > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote:
> > >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <address@hidden> 
> > >> wrote:
> > >> > People sometimes detect security issues in upstream
> > >> > QEMU and don't know where to report them in a non-public way.
> > >> > Of course whoever just wants full disclosure can just go public,
> > >> > but there's nothing specified for non-public - until recently Anthony
> > >> > was doing this informally.
> > >> >
> > >> > As I started doing this recently anyway, I can handle this on the QEMU 
> > >> > side
> > >> > in a more formal way.
> > >> >
> > >> > Adding a secalert mailing list as well - they are the ones who is 
> > >> > actually
> > >> > opening CVEs, communicating issues to all downstreams etc,
> > >> > and they are already handling this for upstream, not just Red Hat.
> > >> >
> > >> > Keeping Anthony's address around in case he wants to be informed.
> > >> >
> > >> > Signed-off-by: Michael S. Tsirkin <address@hidden>
> > >>
> > >> What about using address@hidden and creating that as a
> > >> moderated mailing list with no public archive?
> > >>
> > >> That way there's a single contact point and there can be many people
> > >> backing it up to make sure that disclosures are handled very quickly.
> >
> > >
> > > Also I'd like a more explicit name, we don't want general
> > > security related discussions on that list.
> > > address@hidden
> > > ?
> >
> > OK, so do we want to:
> > (a) commit this patch as-is
> > (b) set up the proposed mailing list?
> >
> > If (b), who has the admin rights to do that?
> >
> > I don't feel strongly either way.
> >
> > thanks
> > -- PMM
> 
> Way I see it, as long as it has the same people, it probably doesn't matter :)
> We can get around to creating a list if/when more people
> volunteer.
> 
> I also think we want people to have the option to communicate with pgp.
> 
> Some searches I found mailman patches for pgp support:
> http://non-gnu.uvt.nl/mailman-pgp-smime/
> 
> but without that, we really need to list individual people for now.
> 
> --
> MST