On Fri, Jun 28, 2013 at 11:45:59AM -0600, Eric Blake wrote:
On 06/04/2013 09:33 AM, Eric Blake wrote:
On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Historically security issues in libvirt have been primarily triaged & fixed by the Red Hat libvirt members & Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches.
To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address "libvirt-security@redhat.com" for end users to report bugs which have (possible) security implications.
Document how to report security bugs and the process that will be used for addressing them.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- docs/bugs.html.in | 12 +++++ docs/contact.html.in | 12 +++++ docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++ docs/sitemap.html.in | 4 ++ 4 files changed, 141 insertions(+) create mode 100644 docs/securityprocess.html.in
Did this ever get pushed? It should go in before 1.1.0 is released, particularly since we have already used this list to discuss CVE-2013-2218 (more details on Monday when embargo ends).
Right, I pushed it ! thanks ! Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/