Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure

[Liguori, Anthony]

I think this is a bit overkill.  Many projects use private mailing lists for 
this purpose.

Regards,

Anthony Liguori

________________________________________
From: Michael S. Tsirkin address@hidden
Sent: Monday, April 28, 2014 10:53 AM
To: Liguori, Anthony
Cc: Peter Maydell; Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber
Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible 
disclosure

On Mon, Apr 28, 2014 at 05:35:38PM +0300, Michael S. Tsirkin wrote:
> I'll play around once I get the password.
> From what I've seen so far,
> I'm not sure it's the right server to use for security :(

I did some more reseach and savannah does not seem to support any
encryption for its lists: neither TLS nor PGP.

This would mean that all communication has to be in the clear.

I think that for this use, we would be better off with an option that
can guarantee a measure of privacy.  For now simply listing specific
addresses and GPG keys looks like the only way.

Makes sense?
I would really like us to get an agreement on this so we can start
making progress on harder issues such as agreeing on a security policy.


> The list now appears here
> https://lists.nongnu.org/mailman/listinfo
> under the heading "Below is a listing of all the public mailing lists on
> lists.nongnu.org."
> The list page https://lists.nongnu.org/mailman/listinfo/qemu-security
> also seems to even have a link to public archives - it's not live
> but its presence might scare people away.
>
> We definitely do not want this list to be public - it's so people who want to 
> do
> the responsible disclosure process can get some response and possibly
> help.
>
> If someone just wants to go public there's always qemu-devel.
>
> I guess we can configure it to actually be non-public, but hiding
> information seems unlikely to be one of savannah's strong points.
> I know if I was asked to post sensitive information to such
> a list I would hesitate, which isn't the effect we are trying to
> achieve here.
>
>
> On Mon, Apr 28, 2014 at 01:57:26PM +0000, Liguori, Anthony wrote:
> > https://lists.nongnu.org/mailman/admin/qemu-security
> >
> > Has been created but it will take 24-48 hours for Savannah to do it's 
> > thing.  I'll send out the mailing list password to Michael and Peter once 
> > it is created.
> >
> > Regards,
> >
> > Anthony Liguori
> >
> > ________________________________________
> > From: Michael S. Tsirkin address@hidden
> > Sent: Monday, April 28, 2014 6:39 AM
> > To: Peter Maydell
> > Cc: Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber; Liguori, 
> > Anthony
> > Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible 
> > disclosure
> >
> > On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote:
> > > On 17 April 2014 19:54, Michael S. Tsirkin <address@hidden> wrote:
> > > > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote:
> > > >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <address@hidden> 
> > > >> wrote:
> > > >> > People sometimes detect security issues in upstream
> > > >> > QEMU and don't know where to report them in a non-public way.
> > > >> > Of course whoever just wants full disclosure can just go public,
> > > >> > but there's nothing specified for non-public - until recently Anthony
> > > >> > was doing this informally.
> > > >> >
> > > >> > As I started doing this recently anyway, I can handle this on the 
> > > >> > QEMU side
> > > >> > in a more formal way.
> > > >> >
> > > >> > Adding a secalert mailing list as well - they are the ones who is 
> > > >> > actually
> > > >> > opening CVEs, communicating issues to all downstreams etc,
> > > >> > and they are already handling this for upstream, not just Red Hat.
> > > >> >
> > > >> > Keeping Anthony's address around in case he wants to be informed.
> > > >> >
> > > >> > Signed-off-by: Michael S. Tsirkin <address@hidden>
> > > >>
> > > >> What about using address@hidden and creating that as a
> > > >> moderated mailing list with no public archive?
> > > >>
> > > >> That way there's a single contact point and there can be many people
> > > >> backing it up to make sure that disclosures are handled very quickly.
> > >
> > > >
> > > > Also I'd like a more explicit name, we don't want general
> > > > security related discussions on that list.
> > > > address@hidden
> > > > ?
> > >
> > > OK, so do we want to:
> > > (a) commit this patch as-is
> > > (b) set up the proposed mailing list?
> > >
> > > If (b), who has the admin rights to do that?
> > >
> > > I don't feel strongly either way.
> > >
> > > thanks
> > > -- PMM
> >
> > Way I see it, as long as it has the same people, it probably doesn't matter 
> > :)
> > We can get around to creating a list if/when more people
> > volunteer.
> >
> > I also think we want people to have the option to communicate with pgp.
> >
> > Some searches I found mailman patches for pgp support:
> > http://non-gnu.uvt.nl/mailman-pgp-smime/
> >
> > but without that, we really need to list individual people for now.
> >
> > --
> > MST