On Tue, Apr 29, 2014 at 02:33:58PM +0200, Markus Armbruster wrote: > Peter Maydell <peter.maydell@xxxxxxxxxx> writes: > > > On 29 April 2014 11:09, Michael S. Tsirkin <mst@xxxxxxxxxx> wrote: > >> Let's just make clear how to contact us securely, when to contact that > >> list, and what we'll do with the info. I cobbled together the > >> following: > >> http://wiki.qemu.org/SecurityProcess > > > > Looks generally OK I guess. I'd drop the 'how to use pgp' section -- > > anybody who cares will already know how to send us PGP email. > > The first paragraph under "How to Contact Us Securely" is fine, the rest > seems redundant for readers familiar with PGP, yet hardly sufficient for > the rest. > > One thing I like about Libvirt's Security Process page[*] is they give > an idea on embargo duration. FWIW I picked the "2 weeks" length myself a completely arbitrary timeframe. We haven't stuck to that strictly - we consider needs of each vulnerability as it is triaged to determine the minimum practical embargo time. So think of "2 weeks" as more of a guiding principal to show the world that we don't believe in keeping issues under embargo for very long periods of time. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html