From mboxrd@z Thu Jan  1 00:00:00 1970
From: Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] KVM call agenda for 2014-04-28
Date: Tue, 29 Apr 2014 15:31:32 +0200
Message-ID: <87d2g0s1mz.fsf@blackfin.pond.sub.org>
References: <8738gxgary.fsf@elfo.mitica>
	<8761ltwjqt.fsf@blackfin.pond.sub.org>
	<20140429055124.GA12031@redhat.com>
	<CAFEAcA9jv5JxhGa+0pDhYC6JO9dACXGpWNNYm=-NMPtoxO7aVw@mail.gmail.com>
	<20140429100948.GB15521@redhat.com>
	<CAFEAcA-=f=3+Cbur2mxrh42-E8j_pexj3XacpGh-NmLbei-7jg@mail.gmail.com>
	<87oazktivd.fsf@blackfin.pond.sub.org>
	<20140429125558.GA3079@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Cc: Peter Maydell <peter.maydell@linaro.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	qemu list <qemu-devel@nongnu.org>,
	KVM devel mailing list <kvm@vger.kernel.org>,
	Juan Quintela <quintela@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:29892 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750827AbaD2Nbj (ORCPT <rfc822;kvm@vger.kernel.org>);
	Tue, 29 Apr 2014 09:31:39 -0400
In-Reply-To: <20140429125558.GA3079@redhat.com> (Daniel P. Berrange's message
	of "Tue, 29 Apr 2014 13:55:58 +0100")
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

"Daniel P. Berrange" <berrange@redhat.com> writes:

> On Tue, Apr 29, 2014 at 02:33:58PM +0200, Markus Armbruster wrote:
>> Peter Maydell <peter.maydell@linaro.org> writes:
>> 
>> > On 29 April 2014 11:09, Michael S. Tsirkin <mst@redhat.com> wrote:
>> >> Let's just make clear how to contact us securely, when to contact that
>> >> list, and what we'll do with the info.  I cobbled together the
>> >> following:
>> >> http://wiki.qemu.org/SecurityProcess
>> >
>> > Looks generally OK I guess. I'd drop the 'how to use pgp' section --
>> > anybody who cares will already know how to send us PGP email.
>> 
>> The first paragraph under "How to Contact Us Securely" is fine, the rest
>> seems redundant for readers familiar with PGP, yet hardly sufficient for
>> the rest.
>> 
>> One thing I like about Libvirt's Security Process page[*] is they give
>> an idea on embargo duration.
>
> FWIW I picked the "2 weeks" length myself a completely arbitrary timeframe.
> We haven't stuck to that strictly - we consider needs of each vulnerability
> as it is triaged to determine the minimum practical embargo time. So think
> of "2 weeks" as more of a guiding principal to show the world that we don't
> believe in keeping issues under embargo for very long periods of time.

Pretty much the way I read it :)

The point I care about is a commitment to getting fixes out quickly,
making clear we're not going to abuse "responsible disclosure" to cover
dragging of feet and deflecting blame.