Re: About 'qemu-security' mailing list

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: About 'qemu-security' mailing list

From:	Alexander Bulekov
Subject:	Re: About 'qemu-security' mailing list
Date:	Fri, 11 Sep 2020 11:58:41 -0400

And I forgot to mention that I think it is a great idea :) . Over the past
couple months, I reported a few dozen bugs on launchpad. Even though
many of them are memory-corruptions and might fall under the
"security-bug" label, they could be fixed faster simply because the
reports can reach the maintainer, without a manual triage process.
With more eyes available, it could be possible to report fuzzing bugs,
while sticking to the security process. It would be especially useful as
we are ramping up automated fuzzing on google's oss-fuzz and thinking
about how to handle those reports.
-Alex

On 200911 1140, Alexander Bulekov wrote:
> Hi Prasad,
> A couple questions:
>  * I'm guessing this will be a closed list with some application/vetting
>    procedure for the participants? (Maybe this is what you mean by
>    "moderated" ?)
>  * How will the communication be encrypted?
>  * Will secalert still be subscribed (for managing CVE ID assignments)?
>  * Assuming PGP will be gone, will it be possible to make the "This bug
>    is a security vulnerability" button work on Launchpad?
> Thanks!
> -Alex
> 
> On 200911 1950, P J P wrote:
> >   Hello all,
> > 
> > Recently while conversing with DanPB this point came up
> > 
> >    -> https://www.qemu.org/contribute/security-process/
> > 
> > * Currently QEMU security team is a handful of individual contacts which
> >   restricts community participation in dealing with these issues.
> > 
> > * The Onus also lies with the individuals to inform the community about QEMU
> >   security issues, as they come in.
> > 
> > 
> > Proposal: (to address above limitations)
> > =========
> > 
> > * We set up a new 'qemu-security' mailing list.
> > 
> > * QEMU security issues are reported to this new list only.
> > 
> > * Representatives from various communities subscribe to this list. (List 
> > maybe
> >   moderated in the beginning.)
> > 
> > * As QEMU issues come in, participants on the 'qemu-security' list shall
> >   discuss and decide about how to triage them further.
> > 
> > Please kindly let us know your views about it. I'd appreciate if you have
> > any suggestions/inputs/comments about the same.
> > 
> > 
> > Thank you.
> > --
> > Prasad J Pandit / Red Hat Product Security Team
> > 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
> > 
> > 
>

[Prev in Thread]

Current Thread

[Next in Thread]

About 'qemu-security' mailing list, P J P, 2020/09/11
- Re: About 'qemu-security' mailing list, Li Qiang, 2020/09/11
- Re: About 'qemu-security' mailing list, Alexander Bulekov, 2020/09/11
  - Re: About 'qemu-security' mailing list, Alexander Bulekov <=
  - Re: About 'qemu-security' mailing list, P J P, 2020/09/18
- Re: About 'qemu-security' mailing list, Daniel P . Berrangé, 2020/09/11
- Re: About 'qemu-security' mailing list, Peter Maydell, 2020/09/11
  - Re: About 'qemu-security' mailing list, Philippe Mathieu-Daudé, 2020/09/14
    - Re: About 'qemu-security' mailing list, Stefan Hajnoczi, 2020/09/14
  - Re: About 'qemu-security' mailing list, Daniel P . Berrangé, 2020/09/14
    - Re: About 'qemu-security' mailing list, Peter Maydell, 2020/09/14
  - Re: About 'qemu-security' mailing list, Stefan Hajnoczi, 2020/09/14
    - Re: About 'qemu-security' mailing list, P J P, 2020/09/15
    - Re: About 'qemu-security' mailing list, Stefan Hajnoczi, 2020/09/16

Prev by Date: Re: PATCH: Increase System Firmware Max Size
Next by Date: Re: [PATCH v3] i440fx/acpi: do not add hotplug related amls for cold plugged bridges
Previous by thread: Re: About 'qemu-security' mailing list
Next by thread: Re: About 'qemu-security' mailing list
Index(es):
- Date
- Thread