Hello Dan, Stefan, +-- On Tue, 17 Nov 2020, Daniel P. Berrangé wrote --+ | On Tue, Nov 17, 2020 at 04:19:42PM +0000, Stefan Hajnoczi wrote: | > Dan and I tried out confidential issues and unfortunately it is | > currently too limited for our workflow. | > | > It is not possible to add non-members to a confidential issue. Members | > need at least the 'Reporter' role to view confidential issues, and then | > they can view all of them (!). | > | > This means there is no way of working on a need-to-know basis. We would | > have to give anyone who ever needs to comment on an issue access to all | > other issues :(. | > | > Dan found this open feature request from 2 years ago: | > https://gitlab.com/gitlab-org/gitlab/-/issues/20252 | > | > For now I think we should stick to email. I think email is best and easiest for all. | > I'm still concerned about the prospect of writing custom mailing list | > software and hosting it somewhere. Can we run an encrypted mailing list | > without developing the software ourselves? | | We certainly should NOT get into the business of writing or hosting | custom solutions ourselves IMHO. Even if someone volunteers to do the | work upfront, that'll inevitably turn into abandonware a few years | hence when the interested party moves onto other things. * I don't know of any list provider which supports encryption. * For custom software, there is this 'schleuder' project -> https://0xacab.org/schleuder/schleuder -> https://schleuder.org/schleuder/docs/concept.html A gpg-enabled mailing list manager with resending-capabilities. * I have not used it or played with it. | I still question whether we genuinely need encrypted mailing lists in | the first place. | | Our of all the security reports QEMU has received how many reporters | actually used GPG to encrypt their reporters, and how often did the | security team actually keep using GPG when triaging and resolving it | thereafter. | | Out of countless security issues I've dealt with across many software | projects for 10 years, there have been less than 5 occassions where | encryption was used with email by a bug reporter notifying me, and out | of those only 1 of them actually justified the use of GPG. | | For projects that did use confidential issues, they still all emailed | notifications in clear text behind the scenes regardless. | | Is it not sufficient to just use a regular mailing list by default, | and continue publish security team pgp email addrs + keys for the | few cases where pgp might be desired. * True, need & usage of encryption is debatable and difficult. * Above points and possible solution of keeping the current handful PGP keys available did come up earlier -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05213.html * At this point I think, let's get started with a regular list for now. We can still continue to explore encryption support options. @Stefanha: do we need to file a request ticket to create 'qemu-security' list? Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D