[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [qemu-web PATCH v2] Add "Security Process" information to the main w
From: |
Paolo Bonzini |
Subject: |
Re: [qemu-web PATCH v2] Add "Security Process" information to the main website |
Date: |
Mon, 27 Jan 2020 19:55:18 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 |
On 27/01/20 11:00, Thomas Huth wrote:
> On 23/01/2020 20.43, Eric Blake wrote:
>> On 1/23/20 11:11 AM, Thomas Huth wrote:
>>> One reporter of a security issue recently complained that it might not
>>> be the best idea to store our "Security Process" in the Wiki. Well, while
>>> the page in the Wiki is protected (so that only some few people can edit
>>> it), it is still possible that someone might find a bug in the Wiki
>>> software to alter the page contents...
>>> Anyway, it looks more trustworthy if we present the "Security Process"
>>> information in the static website instead. Thus this patch adds the
>>> information from the wiki to the Jekyll-based website now.
>>>
>>> Signed-off-by: Thomas Huth <address@hidden>
>>> ---
>>> v2: Improved some sentences as suggested by Paolo
>>>
>>
>>> +### Publication embargo
>>> +
>>> +As a security issue reported, that is not already publically disclosed
>>
>> publicly
>>
>>> +elsewhere, has an embargo date assigned and communicated to reporter.
>>> Embargo
>>
>> Reads awkwardly. I'd suggest:
>>
>> If a security issue is reported that is not already publicly disclosed,
>> an embargo date may be assigned and communicated to the reporter.
>
> Ok, thanks, I've added your suggestions and pushed the changes now to
> the website.
>
> To the people on CC: ... could someone please update the wiki page
> (https://wiki.qemu.org/SecurityProcess) to point to
> https://www.qemu.org/contribute/security-process/ instead? ... I don't
> have write access to that page, so I can not do that on my own.
Done, I will add a server-side redirect when I have some time.
Paolo