Re: [libvirt] [PATCH] Document security reporting & handling process
On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote:
On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>
> Historically security issues in libvirt have been primarily
> triaged & fixed by the Red Hat libvirt members & Red Hat
> security team, who then usually notify other vendors via
> appropriate channels. There have been a number of times
> when vendors have not been properly notified ahead of
> announcement. It has also disadvantaged community members
> who have to backport fixes to releases for which there are
> no current libvirt stable branches.
>
> To address this, we want to make the libvirt security process
> entirely community focused / driven. To this end I have setup
> a new email address "libvirt-security(a)redhat.com" for end
> users to report bugs which have (possible) security implications.
>
> This email addr is backed by an invitation only, private
> archive, mailing list. The intent is for the list membership
> to comprise a subset of the libvirt core team, along with any
> vendor security team engineers who wish to participate in a
> responsible disclosure process for libvirt. Members of the
> list will be responsible for analysing the problem to determine
> if a security issue exists and then issue fixes for all current
> official stable branches & git master.
>
> I am proposing the following libvirt core team people as
> members of the security team / list (all cc'd):
>
> Daniel Berrange (Red Hat)
> Eric Blake (Red Hat)
> Jiri Denemar (Red Hat)
> Daniel Veillard (Red Hat)
> Jim Fehlig (SUSE)
> Doug Goldstein (Gentoo)
> Guido Günther (Debian)
>
> We don't have anyone from Ubuntu on the libvirt core team.
> Serge Hallyn is the most frequent submitter of patches from
> Ubuntu in recent history, so I'd like to invite him to join.
> Alternatively, Serge, feel free to suggest someone else to
> represent Ubuntu's interests.
Is it worth adding any BSD representation? Roman Bogorodskiy might be
the best candidate on that front.
Yep, meant to mention that. I was not sure whether any *BSD is actually
distributing formal libvirt packages to users yet, or if they're still
just at the code porting stage. Roman, what's the status of the FreeBSD
port / packaging effort from your POV ?
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|