Re: About 'qemu-security' mailing list

[Peter Maydell]

On Fri, 11 Sep 2020 at 15:22, P J P <ppandit@redhat.com> wrote:
> Proposal: (to address above limitations)
> =========
>
> * We set up a new 'qemu-security' mailing list.
>
> * QEMU security issues are reported to this new list only.
>
> * Representatives from various communities subscribe to this list. (List maybe
>    moderated in the beginning.)
>
> * As QEMU issues come in, participants on the 'qemu-security' list shall
>    discuss and decide about how to triage them further.

Way way back, the idea of a qemu-security list was proposed, and
it was decided against because there wasn't a clear way that
people could send encrypted mail to the security team if it
was just a mailing list. So that's why we have the "handful
of individual contacts" approach. Is that still something people
care about ?

My question is, who decides who's on the qemu-security list?
Is this just "it's the same handful of contacts, but they
have a mailing list for convenience" ? It sounds like you
want it to be a larger grouping than that and maybe also
want to use it as a mechanism for informing downstream distros
etc about QEMU security issues, which is to say you're
proposing an overhaul and change to our security process,
not merely "we'd like to create a mailing list" ?

thanks
-- PMM