[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: About 'qemu-security' mailing list
|
From: |
P J P |
|
Subject: |
Re: About 'qemu-security' mailing list |
|
Date: |
Wed, 18 Nov 2020 16:02:52 +0530 (IST) |
Hello Dan, Stefan,
+-- On Tue, 17 Nov 2020, Daniel P. Berrangé wrote --+
| On Tue, Nov 17, 2020 at 04:19:42PM +0000, Stefan Hajnoczi wrote:
| > Dan and I tried out confidential issues and unfortunately it is
| > currently too limited for our workflow.
| >
| > It is not possible to add non-members to a confidential issue. Members
| > need at least the 'Reporter' role to view confidential issues, and then
| > they can view all of them (!).
| >
| > This means there is no way of working on a need-to-know basis. We would
| > have to give anyone who ever needs to comment on an issue access to all
| > other issues :(.
| >
| > Dan found this open feature request from 2 years ago:
| > https://gitlab.com/gitlab-org/gitlab/-/issues/20252
| >
| > For now I think we should stick to email.
I think email is best and easiest for all.
| > I'm still concerned about the prospect of writing custom mailing list
| > software and hosting it somewhere. Can we run an encrypted mailing list
| > without developing the software ourselves?
|
| We certainly should NOT get into the business of writing or hosting
| custom solutions ourselves IMHO. Even if someone volunteers to do the
| work upfront, that'll inevitably turn into abandonware a few years
| hence when the interested party moves onto other things.
* I don't know of any list provider which supports encryption.
* For custom software, there is this 'schleuder' project
-> https://0xacab.org/schleuder/schleuder
-> https://schleuder.org/schleuder/docs/concept.html
A gpg-enabled mailing list manager with resending-capabilities.
* I have not used it or played with it.
| I still question whether we genuinely need encrypted mailing lists in
| the first place.
|
| Our of all the security reports QEMU has received how many reporters
| actually used GPG to encrypt their reporters, and how often did the
| security team actually keep using GPG when triaging and resolving it
| thereafter.
|
| Out of countless security issues I've dealt with across many software
| projects for 10 years, there have been less than 5 occassions where
| encryption was used with email by a bug reporter notifying me, and out
| of those only 1 of them actually justified the use of GPG.
|
| For projects that did use confidential issues, they still all emailed
| notifications in clear text behind the scenes regardless.
|
| Is it not sufficient to just use a regular mailing list by default,
| and continue publish security team pgp email addrs + keys for the
| few cases where pgp might be desired.
* True, need & usage of encryption is debatable and difficult.
* Above points and possible solution of keeping the current handful PGP keys
available did come up earlier
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05213.html
* At this point I think, let's get started with a regular list for now. We can
still continue to explore encryption support options.
@Stefanha: do we need to file a request ticket to create 'qemu-security' list?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D