Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure

[Michael S. Tsirkin]

On Mon, Apr 28, 2014 at 09:00:40PM +0000, Liguori, Anthony wrote:
> I think this is a bit overkill.
Hmm to clarify, this forces people to send info
about 0 day exploits over the internet in cleartext.

What do we get in return for sacrificing the privacy? A small
convenience of not typing in 3 addresses?

>  Many projects use private mailing lists for this purpose.
True that some others do this but frankly I don't understand it.
Maybe this tradeoff starts to make sense if the list of subscribers is
large?


> 
> Regards,
> 
> Anthony Liguori
> 
> ________________________________________
> From: Michael S. Tsirkin address@hidden
> Sent: Monday, April 28, 2014 10:53 AM
> To: Liguori, Anthony
> Cc: Peter Maydell; Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas 
> Färber
> Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible 
> disclosure
> 
> On Mon, Apr 28, 2014 at 05:35:38PM +0300, Michael S. Tsirkin wrote:
> > I'll play around once I get the password.
> > From what I've seen so far,
> > I'm not sure it's the right server to use for security :(
> 
> I did some more reseach and savannah does not seem to support any
> encryption for its lists: neither TLS nor PGP.
> 
> This would mean that all communication has to be in the clear.
> 
> I think that for this use, we would be better off with an option that
> can guarantee a measure of privacy.  For now simply listing specific
> addresses and GPG keys looks like the only way.
> 
> Makes sense?
> I would really like us to get an agreement on this so we can start
> making progress on harder issues such as agreeing on a security policy.
> 
> 
> > The list now appears here
> > https://lists.nongnu.org/mailman/listinfo
> > under the heading "Below is a listing of all the public mailing lists on
> > lists.nongnu.org."
> > The list page https://lists.nongnu.org/mailman/listinfo/qemu-security
> > also seems to even have a link to public archives - it's not live
> > but its presence might scare people away.
> >
> > We definitely do not want this list to be public - it's so people who want 
> > to do
> > the responsible disclosure process can get some response and possibly
> > help.
> >
> > If someone just wants to go public there's always qemu-devel.
> >
> > I guess we can configure it to actually be non-public, but hiding
> > information seems unlikely to be one of savannah's strong points.
> > I know if I was asked to post sensitive information to such
> > a list I would hesitate, which isn't the effect we are trying to
> > achieve here.
> >
> >
> > On Mon, Apr 28, 2014 at 01:57:26PM +0000, Liguori, Anthony wrote:
> > > https://lists.nongnu.org/mailman/admin/qemu-security
> > >
> > > Has been created but it will take 24-48 hours for Savannah to do it's 
> > > thing.  I'll send out the mailing list password to Michael and Peter once 
> > > it is created.
> > >
> > > Regards,
> > >
> > > Anthony Liguori
> > >
> > > ________________________________________
> > > From: Michael S. Tsirkin address@hidden
> > > Sent: Monday, April 28, 2014 6:39 AM
> > > To: Peter Maydell
> > > Cc: Anthony Liguori; qemu-devel; Stefan Hajnoczi; Andreas Färber; 
> > > Liguori, Anthony
> > > Subject: Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible 
> > > disclosure
> > >
> > > On Mon, Apr 28, 2014 at 02:24:45PM +0100, Peter Maydell wrote:
> > > > On 17 April 2014 19:54, Michael S. Tsirkin <address@hidden> wrote:
> > > > > On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote:
> > > > >> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <address@hidden> 
> > > > >> wrote:
> > > > >> > People sometimes detect security issues in upstream
> > > > >> > QEMU and don't know where to report them in a non-public way.
> > > > >> > Of course whoever just wants full disclosure can just go public,
> > > > >> > but there's nothing specified for non-public - until recently 
> > > > >> > Anthony
> > > > >> > was doing this informally.
> > > > >> >
> > > > >> > As I started doing this recently anyway, I can handle this on the 
> > > > >> > QEMU side
> > > > >> > in a more formal way.
> > > > >> >
> > > > >> > Adding a secalert mailing list as well - they are the ones who is 
> > > > >> > actually
> > > > >> > opening CVEs, communicating issues to all downstreams etc,
> > > > >> > and they are already handling this for upstream, not just Red Hat.
> > > > >> >
> > > > >> > Keeping Anthony's address around in case he wants to be informed.
> > > > >> >
> > > > >> > Signed-off-by: Michael S. Tsirkin <address@hidden>
> > > > >>
> > > > >> What about using address@hidden and creating that as a
> > > > >> moderated mailing list with no public archive?
> > > > >>
> > > > >> That way there's a single contact point and there can be many people
> > > > >> backing it up to make sure that disclosures are handled very quickly.
> > > >
> > > > >
> > > > > Also I'd like a more explicit name, we don't want general
> > > > > security related discussions on that list.
> > > > > address@hidden
> > > > > ?
> > > >
> > > > OK, so do we want to:
> > > > (a) commit this patch as-is
> > > > (b) set up the proposed mailing list?
> > > >
> > > > If (b), who has the admin rights to do that?
> > > >
> > > > I don't feel strongly either way.
> > > >
> > > > thanks
> > > > -- PMM
> > >
> > > Way I see it, as long as it has the same people, it probably doesn't 
> > > matter :)
> > > We can get around to creating a list if/when more people
> > > volunteer.
> > >
> > > I also think we want people to have the option to communicate with pgp.
> > >
> > > Some searches I found mailman patches for pgp support:
> > > http://non-gnu.uvt.nl/mailman-pgp-smime/
> > >
> > > but without that, we really need to list individual people for now.
> > >
> > > --
> > > MST