On 06/04/2013 09:33 AM, Eric Blake wrote: > On 06/04/2013 04:06 AM, Daniel P. Berrange wrote: >> From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> >> >> Historically security issues in libvirt have been primarily >> triaged & fixed by the Red Hat libvirt members & Red Hat >> security team, who then usually notify other vendors via >> appropriate channels. There have been a number of times >> when vendors have not been properly notified ahead of >> announcement. It has also disadvantaged community members >> who have to backport fixes to releases for which there are >> no current libvirt stable branches. >> >> To address this, we want to make the libvirt security process >> entirely community focused / driven. To this end I have setup >> a new email address "libvirt-security@xxxxxxxxxx" for end >> users to report bugs which have (possible) security implications. >> Document how to report security bugs and the process that >> will be used for addressing them. >> >> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> >> --- >> docs/bugs.html.in | 12 +++++ >> docs/contact.html.in | 12 +++++ >> docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++ >> docs/sitemap.html.in | 4 ++ >> 4 files changed, 141 insertions(+) >> create mode 100644 docs/securityprocess.html.in Did this ever get pushed? It should go in before 1.1.0 is released, particularly since we have already used this list to discuss CVE-2013-2218 (more details on Monday when embargo ends). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list