[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field
|
From: |
Cornelia Huck |
|
Subject: |
Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field |
|
Date: |
Tue, 14 Jul 2020 13:51:55 +0200 |
On Tue, 14 Jul 2020 14:06:31 +0530
P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> QEMU supports numerous virtualisation and emulation use cases.
> It also offers many features to support guest's function(s).
>
> All of these use cases and features are not always security relevant.
> Because some maybe used in trusted environments only. Some may still
> be in experimental stage. While other could be very old and not
> used or maintained actively.
>
> For security bug analysis we generally consider use cases wherein
> QEMU is used in conjunction with the KVM hypervisor, which enables
> guest to use hardware processor's virtualisation features.
>
> The CVE (or Security or Trust) Quotient field tries to capture this
> sensitivity pertaining to a feature or section of the code.
>
> It indicates whether a potential issue should be treated as a security
> one OR it could be fixed as a regular non-security bug.
>
> Suggested-by: Daniel P. Berrange <berrange@redhat.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> MAINTAINERS | 324 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 324 insertions(+)
>
(...)
> @@ -87,6 +95,7 @@ S390 general architecture support
> M: Cornelia Huck <cohuck@redhat.com>
> M: Thomas Huth <thuth@redhat.com>
> S: Supported
> +C: High
Just to reiterate what others have previously stated:
The granularity in MAINTAINERS and how it is organized does not really
work well with what you are trying to do with this classification.
If I pick just this entry as an example: It covers *all* s390x-related
code, and this covers both things like support for protected
virtualization (definitely critical) and virtio-9p-ccw (definitely not
critical). It is important that somebody is looking after s390x overall
(hence the "Supported" state), but not all s390x-related code is
equally critical.
I see the main purpose of the MAINTAINERS file to find the right
contacts for an area; other approaches like tagging of devices and
features seem to be better suited for figuring out which areas are
deemed critical.
> F: default-configs/s390x-softmmu.mak
> F: gdb-xml/s390*.xml
> F: hw/char/sclp*.[hc]
- Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, (continued)
- Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, Daniel P . Berrangé, 2020/07/14
- Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, Kevin Wolf, 2020/07/14
- Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, Thomas Huth, 2020/07/14
- Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, Christian Schoenebeck, 2020/07/14
- Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, Daniel P . Berrangé, 2020/07/14
Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, Philippe Mathieu-Daudé, 2020/07/14
Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field,
Cornelia Huck <=
Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field, Dr. David Alan Gilbert, 2020/07/16
Re: [PATCH 0/1] MAINTAINERS: add security quotient field, Michael S. Tsirkin, 2020/07/14