Hi Folks, After much work I've finally got a formal Libvirt Security Notice (LSN) setup worked out. Every security issue that is reported & confirmed on the libvirt security mailing list will have a formal LSN prepared. This is a simple XML document containing metadata & other information about the issue we deem relevant. Initially this will be private if there is an embargo applied. Once the issue is made public, will the LSN notices will be added to the following public GIT repository: http://libvirt.org/git/?p=libvirt-security-notice.git;a=summary This GIT repository is used to populate a new public website http://security.libvirt.org/ A plain text rendering of the LSN will also be sent to the mailing list libvirt-announce(a)redhat.com Every issue is available in text, html and xml formats eg http://security.libvirt.org/2014/0002.txt http://security.libvirt.org/2014/0002.html http://security.libvirt.org/2014/0002.xml If anyone backports a fix for a security issue to various -maint branches, the LSN notice in GIT should be updated with GIT hash of the backports. If a maint release is created, the tag should also be added to the LSN. After countless hours investigation I have populated the repository with a list of all historical issues in libvirt that I'm aware of. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|