[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: About 'qemu-security' mailing list
From: |
Thomas Huth |
Subject: |
Re: About 'qemu-security' mailing list |
Date: |
Wed, 16 Sep 2020 15:25:45 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 |
On 16/09/2020 15.06, Daniel P. Berrangé wrote:
> On Wed, Sep 16, 2020 at 01:33:38PM +0100, Peter Maydell wrote:
>> On Wed, 16 Sep 2020 at 12:10, Stefan Hajnoczi <stefanha@gmail.com> wrote:
>>> I think it's worth investigating whether GitLab Issues can be configured
>>> in a secure-enough way for security bug reporting. That way HTTPS is
>>> used and only GitLab stores the confidential information (this isn't
>>> end-to-end encryption but seems better than unencrypted SMTP and
>>> plaintext emails copied across machines).
>>
>> Given that we currently use launchpad for bugs we should also look
>> at whether launchpad's "private security" bug classification would
>> be useful for us (currently such bug reports effectively go to /dev/null
>> but this can be fixed).
I've somehow managed to subscribe myself to our private LP bugs, so I
get notified if there is a new one.
> Using a bug tracker has the notable advantage over direct email CC's
> that if the security triage team needs to pull in a domain specific
> expert, that newly added person can still see the full history of
> discussion on the bug.
>
> With individual email CC's, the previous discussions are essentially
> a information blackhole until the security triage team is good enough
> to forward the full discussion history (this essentially never happens
> in IME). Mailing list also has that easy archive access benefit.
>
> Is it possible to setup people to be able to view launchpad private
> bugs, without also making them full admins for the QEMU launchpad
> project ?
Honestly, I'd rather like use to move to the gitlab bug tracker instead
of extending our use of the launchpad tracker. LP is IMHO a really ugly
bug tracking tool.
> Does launchpad still send clear text email notifications to the
> permitted admins for private bugs ? I recall I used to get clear
> text emails for private bugs in the past for non-QEMU projects.
IIRC, yes, the email notifications for the private bugs are still send
without encryption.
Thomas
- Re: About 'qemu-security' mailing list, (continued)
- Re: About 'qemu-security' mailing list, Peter Maydell, 2020/09/11
- Re: About 'qemu-security' mailing list, Philippe Mathieu-Daudé, 2020/09/14
- Re: About 'qemu-security' mailing list, Daniel P . Berrangé, 2020/09/14
- Re: About 'qemu-security' mailing list, Stefan Hajnoczi, 2020/09/14
- Re: About 'qemu-security' mailing list, P J P, 2020/09/15
- Re: About 'qemu-security' mailing list, Stefan Hajnoczi, 2020/09/16
- Re: About 'qemu-security' mailing list, Peter Maydell, 2020/09/16
- Re: About 'qemu-security' mailing list, Daniel P . Berrangé, 2020/09/16
- Re: About 'qemu-security' mailing list,
Thomas Huth <=
- Re: About 'qemu-security' mailing list, Daniel P . Berrangé, 2020/09/16
- Re: About 'qemu-security' mailing list, P J P, 2020/09/18
- Re: About 'qemu-security' mailing list, P J P, 2020/09/30
- Re: About 'qemu-security' mailing list, Darren Kenny, 2020/09/30