[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: About 'qemu-security' mailing list
|
From: |
P J P |
|
Subject: |
Re: About 'qemu-security' mailing list |
|
Date: |
Thu, 1 Oct 2020 23:47:21 +0530 (IST) |
+-- On Thu, 1 Oct 2020, Darren Kenny wrote --+
| The storage of reproducers would indeed be good to have in something
| like Gitlab - but that'd require someone to extract it and store it, but
| under what naming would be another issue... But really that's behind the
| scenes.
Yes.
| > Maybe we could start with a moderated list and improvise as we go forward?
|
| I really think that encryption of the details of a vulnerability is
| important, if somehow it gets intercepted - which is not that difficult with
| e-mail - then there is the potential for a malicious party to exploit it
| before a fix is available to distros, and deployed.
Encrypted list, open to receive non-encrypted reports seems okay. Will have
to check how to set it up and its workflow.
| Something that has happened since the Intel Spectre/Meltdown vulnerabilities
| were initially brought to light is more communication between security teams
| in various orgs. To do this those discussions have started being done on
| Keybase, which provides secure chats as well as secured Git repos.
|
| Has anything like that being considered as the point for subsequent
| discussions on issues post the initial disclosure?
That has not come up for QEMU issues yet. Maybe we could consider it in
future if required.
+-- On Thu, 1 Oct 2020, Konrad Rzeszutek Wilk wrote --+
| The problem with Keybase was how to review patches. Now if they had a
| encrypted mailing list as part of their Git repos that would be awesome.
| (Trying to find a "Feature request" but not having much luck :-()
True. Email + PGP/GPG has been around for so many years, yet there is no
seamless combination of the two. :(
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D