[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Document security reporting & handling process



On Tue, Jun 4, 2013 at 9:29 AM, Roman Bogorodskiy <bogorodskiy gmail com> wrote:
  Daniel P. Berrange wrote:

> On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote:
> > On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
> > > From: "Daniel P. Berrange" <berrange redhat com>
> > >
> > > Historically security issues in libvirt have been primarily
> > > triaged & fixed by the Red Hat libvirt members & Red Hat
> > > security team, who then usually notify other vendors via
> > > appropriate channels. There have been a number of times
> > > when vendors have not been properly notified ahead of
> > > announcement. It has also disadvantaged community members
> > > who have to backport fixes to releases for which there are
> > > no current libvirt stable branches.
> > >
> > > To address this, we want to make the libvirt security process
> > > entirely community focused / driven. To this end I have setup
> > > a new email address "libvirt-security redhat com" for end
> > > users to report bugs which have (possible) security implications.
> > >
> > > This email addr is backed by an invitation only, private
> > > archive, mailing list. The intent is for the list membership
> > > to comprise a subset of the libvirt core team, along with any
> > > vendor security team engineers who wish to participate in a
> > > responsible disclosure process for libvirt. Members of the
> > > list will be responsible for analysing the problem to determine
> > > if a security issue exists and then issue fixes for all current
> > > official stable branches & git master.
> > >
> > > I am proposing the following libvirt core team people as
> > > members of the security team / list (all cc'd):
> > >
> > >    Daniel Berrange (Red Hat)
> > >    Eric Blake (Red Hat)
> > >    Jiri Denemar (Red Hat)
> > >    Daniel Veillard (Red Hat)
> > >    Jim Fehlig (SUSE)
> > >    Doug Goldstein (Gentoo)
> > >    Guido Günther (Debian)
> > >
> > > We don't have anyone from Ubuntu on the libvirt core team.
> > > Serge Hallyn is the most frequent submitter of patches from
> > > Ubuntu in recent history, so I'd like to invite him to join.
> > > Alternatively, Serge, feel free to suggest someone else to
> > > represent Ubuntu's interests.
> >
> > Is it worth adding any BSD representation? Roman Bogorodskiy might be
> > the best candidate on that front.
>
> Yep, meant to mention that. I was not sure whether any *BSD is actually
> distributing formal libvirt packages to users yet, or if they're still
> just at the code porting stage. Roman, what's the status of the FreeBSD
> port / packaging effort from your POV ?

FreeBSD has libvirt port:

http://www.freshports.org/devel/libvirt/

It is maintained by Jason Helfman (CCed), so I think he's more
appropriate person for such kind of things. From my side, I'd
be happy to help also.

Roman Bogorodskiy

Packages are supplied to users as part of our standard package distribution sets for releases and standard updates of our package sets.
It has been distributed as a package since it was committed to the FreeBSD ports tree.

-jgh
 
--
Jason Helfman          | FreeBSD Committer
jgh FreeBSD org     | http://people.freebsd.org/~jgh  | The Power to Serve

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]