On Fri, Jun 28, 2013 at 11:45:59AM -0600, Eric Blake wrote:
> On 06/04/2013 09:33 AM, Eric Blake wrote:
> > On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
> >> From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> >>
> >> Historically security issues in libvirt have been primarily
> >> triaged & fixed by the Red Hat libvirt members & Red Hat
> >> security team, who then usually notify other vendors via
> >> appropriate channels. There have been a number of times
> >> when vendors have not been properly notified ahead of
> >> announcement. It has also disadvantaged community members
> >> who have to backport fixes to releases for which there are
> >> no current libvirt stable branches.
> >>
> >> To address this, we want to make the libvirt security process
> >> entirely community focused / driven. To this end I have setup
> >> a new email address "libvirt-security@xxxxxxxxxx" for end
> >> users to report bugs which have (possible) security implications.
>
> >> Document how to report security bugs and the process that
> >> will be used for addressing them.
> >>
> >> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> >> ---
> >> docs/bugs.html.in | 12 +++++
> >> docs/contact.html.in | 12 +++++
> >> docs/securityprocess.html.in | 113 +++++++++++++++++++++++++++++++++++++++++++
> >> docs/sitemap.html.in | 4 ++
> >> 4 files changed, 141 insertions(+)
> >> create mode 100644 docs/securityprocess.html.in
>
> Did this ever get pushed? It should go in before 1.1.0 is released,
> particularly since we have already used this list to discuss
> CVE-2013-2218 (more details on Monday when embargo ends).
Right, I pushed it !
thanks !
Daniel
--
Daniel Veillard | Open Source and Standards, Red Hat
veillard@xxxxxxxxxx | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list