qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end

From: Philippe Mathieu-Daudé
Subject: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Date: Wed, 2 Dec 2020 14:36:38 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 
On 12/2/20 2:17 PM, P J P wrote:
> +-- On Tue, 1 Dec 2020, Philippe Mathieu-Daudé wrote --+ 
> | Is it possible to release the reproducer to the community, so we can work 
> on 
> | a fix and test it?
> 
> * No, we can not release/share reproducers on a public list.
> 
> * We can request reporters to do so by their volition.
> 
[...]
> 
> * Even then, we'll need to ask reporter's permission before sharing their 
>   reproducers on a public list OR with non-members.
> 
> * Best is if reporters share/release reproducers themselves. Maybe we can 
> have 
>   a public git repository and they can send a PR to include their reproducers 
>   in the repository.

While EDK2 security workflow has its own drawbacks (inherent
to the project), a fair part is to ask the reporter to attach
its reproducer to the private BZ, then when the embargo expires
the BZ becomes public (as the reproducer). Thus the community
can look at how the bug was handled, how it was reviewed/tested,
by who, etc.

https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues

> 
> * That way multiple reproducers for the same issue can be held together.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]