From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: KVM call agenda for 2014-04-28
Date: Tue, 29 Apr 2014 13:55:58 +0100
Message-ID: <20140429125558.GA3079@redhat.com>
References: <8738gxgary.fsf@elfo.mitica> <8761ltwjqt.fsf@blackfin.pond.sub.org>
	<20140429055124.GA12031@redhat.com>
	<CAFEAcA9jv5JxhGa+0pDhYC6JO9dACXGpWNNYm=-NMPtoxO7aVw@mail.gmail.com>
	<20140429100948.GB15521@redhat.com>
	<CAFEAcA-=f=3+Cbur2mxrh42-E8j_pexj3XacpGh-NmLbei-7jg@mail.gmail.com>
	<87oazktivd.fsf@blackfin.pond.sub.org>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Cc: Peter Maydell <peter.maydell@linaro.org>,
	"Michael S. Tsirkin" <mst@redhat.com>, qemu list <qemu-devel@nongnu.org>,
	KVM devel mailing list <kvm@vger.kernel.org>,
	Juan Quintela <quintela@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Return-path: <qemu-devel-bounces+gceq-qemu-devel=gmane.org@nongnu.org>
Content-Disposition: inline
In-Reply-To: <87oazktivd.fsf@blackfin.pond.sub.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+gceq-qemu-devel=gmane.org@nongnu.org
Sender: qemu-devel-bounces+gceq-qemu-devel=gmane.org@nongnu.org
List-Id: kvm.vger.kernel.org

On Tue, Apr 29, 2014 at 02:33:58PM +0200, Markus Armbruster wrote:
> Peter Maydell <peter.maydell@linaro.org> writes:
> 
> > On 29 April 2014 11:09, Michael S. Tsirkin <mst@redhat.com> wrote:
> >> Let's just make clear how to contact us securely, when to contact that
> >> list, and what we'll do with the info.  I cobbled together the
> >> following:
> >> http://wiki.qemu.org/SecurityProcess
> >
> > Looks generally OK I guess. I'd drop the 'how to use pgp' section --
> > anybody who cares will already know how to send us PGP email.
> 
> The first paragraph under "How to Contact Us Securely" is fine, the rest
> seems redundant for readers familiar with PGP, yet hardly sufficient for
> the rest.
> 
> One thing I like about Libvirt's Security Process page[*] is they give
> an idea on embargo duration.

FWIW I picked the "2 weeks" length myself a completely arbitrary timeframe.
We haven't stuck to that strictly - we consider needs of each vulnerability
as it is triaged to determine the minimum practical embargo time. So think
of "2 weeks" as more of a guiding principal to show the world that we don't
believe in keeping issues under embargo for very long periods of time.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|