[libvirt] [PATCH] Document security reporting & handling process

Roman Bogorodskiy bogorodskiy at gmail.com
Tue Jun 4 16:29:45 UTC 2013


  Daniel P. Berrange wrote:

> On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote:
> > On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
> > > From: "Daniel P. Berrange" <berrange at redhat.com>
> > > 
> > > Historically security issues in libvirt have been primarily
> > > triaged & fixed by the Red Hat libvirt members & Red Hat
> > > security team, who then usually notify other vendors via
> > > appropriate channels. There have been a number of times
> > > when vendors have not been properly notified ahead of
> > > announcement. It has also disadvantaged community members
> > > who have to backport fixes to releases for which there are
> > > no current libvirt stable branches.
> > > 
> > > To address this, we want to make the libvirt security process
> > > entirely community focused / driven. To this end I have setup
> > > a new email address "libvirt-security at redhat.com" for end
> > > users to report bugs which have (possible) security implications.
> > > 
> > > This email addr is backed by an invitation only, private
> > > archive, mailing list. The intent is for the list membership
> > > to comprise a subset of the libvirt core team, along with any
> > > vendor security team engineers who wish to participate in a
> > > responsible disclosure process for libvirt. Members of the
> > > list will be responsible for analysing the problem to determine
> > > if a security issue exists and then issue fixes for all current
> > > official stable branches & git master.
> > > 
> > > I am proposing the following libvirt core team people as
> > > members of the security team / list (all cc'd):
> > > 
> > >    Daniel Berrange (Red Hat)
> > >    Eric Blake (Red Hat)
> > >    Jiri Denemar (Red Hat)
> > >    Daniel Veillard (Red Hat)
> > >    Jim Fehlig (SUSE)
> > >    Doug Goldstein (Gentoo)
> > >    Guido Günther (Debian)
> > > 
> > > We don't have anyone from Ubuntu on the libvirt core team.
> > > Serge Hallyn is the most frequent submitter of patches from
> > > Ubuntu in recent history, so I'd like to invite him to join.
> > > Alternatively, Serge, feel free to suggest someone else to
> > > represent Ubuntu's interests.
> > 
> > Is it worth adding any BSD representation? Roman Bogorodskiy might be
> > the best candidate on that front.
> 
> Yep, meant to mention that. I was not sure whether any *BSD is actually
> distributing formal libvirt packages to users yet, or if they're still
> just at the code porting stage. Roman, what's the status of the FreeBSD
> port / packaging effort from your POV ?

FreeBSD has libvirt port:

http://www.freshports.org/devel/libvirt/

It is maintained by Jason Helfman (CCed), so I think he's more
appropriate person for such kind of things. From my side, I'd
be happy to help also.

Roman Bogorodskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130604/766ece68/attachment-0001.sig>


More information about the libvir-list mailing list