[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [qemu-web PATCH v2] Add "Security Process" information to the main w
|
From: |
Thomas Huth |
|
Subject: |
Re: [qemu-web PATCH v2] Add "Security Process" information to the main website |
|
Date: |
Mon, 27 Jan 2020 11:00:29 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 |
On 23/01/2020 20.43, Eric Blake wrote:
> On 1/23/20 11:11 AM, Thomas Huth wrote:
>> One reporter of a security issue recently complained that it might not
>> be the best idea to store our "Security Process" in the Wiki. Well, while
>> the page in the Wiki is protected (so that only some few people can edit
>> it), it is still possible that someone might find a bug in the Wiki
>> software to alter the page contents...
>> Anyway, it looks more trustworthy if we present the "Security Process"
>> information in the static website instead. Thus this patch adds the
>> information from the wiki to the Jekyll-based website now.
>>
>> Signed-off-by: Thomas Huth <address@hidden>
>> ---
>> v2: Improved some sentences as suggested by Paolo
>>
>
>> +### Publication embargo
>> +
>> +As a security issue reported, that is not already publically disclosed
>
> publicly
>
>> +elsewhere, has an embargo date assigned and communicated to reporter.
>> Embargo
>
> Reads awkwardly. I'd suggest:
>
> If a security issue is reported that is not already publicly disclosed,
> an embargo date may be assigned and communicated to the reporter.
Ok, thanks, I've added your suggestions and pushed the changes now to
the website.
To the people on CC: ... could someone please update the wiki page
(https://wiki.qemu.org/SecurityProcess) to point to
https://www.qemu.org/contribute/security-process/ instead? ... I don't
have write access to that page, so I can not do that on my own.
Thomas