Daniel P. Berrange wrote: > On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote: > > On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: > > > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > > > > > Historically security issues in libvirt have been primarily > > > triaged & fixed by the Red Hat libvirt members & Red Hat > > > security team, who then usually notify other vendors via > > > appropriate channels. There have been a number of times > > > when vendors have not been properly notified ahead of > > > announcement. It has also disadvantaged community members > > > who have to backport fixes to releases for which there are > > > no current libvirt stable branches. > > > > > > To address this, we want to make the libvirt security process > > > entirely community focused / driven. To this end I have setup > > > a new email address "libvirt-security@xxxxxxxxxx" for end > > > users to report bugs which have (possible) security implications. > > > > > > This email addr is backed by an invitation only, private > > > archive, mailing list. The intent is for the list membership > > > to comprise a subset of the libvirt core team, along with any > > > vendor security team engineers who wish to participate in a > > > responsible disclosure process for libvirt. Members of the > > > list will be responsible for analysing the problem to determine > > > if a security issue exists and then issue fixes for all current > > > official stable branches & git master. > > > > > > I am proposing the following libvirt core team people as > > > members of the security team / list (all cc'd): > > > > > > Daniel Berrange (Red Hat) > > > Eric Blake (Red Hat) > > > Jiri Denemar (Red Hat) > > > Daniel Veillard (Red Hat) > > > Jim Fehlig (SUSE) > > > Doug Goldstein (Gentoo) > > > Guido Günther (Debian) > > > > > > We don't have anyone from Ubuntu on the libvirt core team. > > > Serge Hallyn is the most frequent submitter of patches from > > > Ubuntu in recent history, so I'd like to invite him to join. > > > Alternatively, Serge, feel free to suggest someone else to > > > represent Ubuntu's interests. > > > > Is it worth adding any BSD representation? Roman Bogorodskiy might be > > the best candidate on that front. > > Yep, meant to mention that. I was not sure whether any *BSD is actually > distributing formal libvirt packages to users yet, or if they're still > just at the code porting stage. Roman, what's the status of the FreeBSD > port / packaging effort from your POV ? FreeBSD has libvirt port: http://www.freshports.org/devel/libvirt/ It is maintained by Jason Helfman (CCed), so I think he's more appropriate person for such kind of things. From my side, I'd be happy to help also. Roman Bogorodskiy
Attachment:
pgppEs3uGLA0L.pgp
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list