[libvirt] [PATCH] Document security reporting & handling process

Jason Helfman jgh at FreeBSD.org
Mon Jun 17 06:28:10 UTC 2013 

On Tue, Jun 4, 2013 at 9:29 AM, Roman Bogorodskiy <bogorodskiy at gmail.com>wrote:

>   Daniel P. Berrange wrote:
>
> > On Tue, Jun 04, 2013 at 09:33:15AM -0600, Eric Blake wrote:
> > > On 06/04/2013 04:06 AM, Daniel P. Berrange wrote:
> > > > From: "Daniel P. Berrange" <berrange at redhat.com>
> > > >
> > > > Historically security issues in libvirt have been primarily
> > > > triaged & fixed by the Red Hat libvirt members & Red Hat
> > > > security team, who then usually notify other vendors via
> > > > appropriate channels. There have been a number of times
> > > > when vendors have not been properly notified ahead of
> > > > announcement. It has also disadvantaged community members
> > > > who have to backport fixes to releases for which there are
> > > > no current libvirt stable branches.
> > > >
> > > > To address this, we want to make the libvirt security process
> > > > entirely community focused / driven. To this end I have setup
> > > > a new email address "libvirt-security at redhat.com" for end
> > > > users to report bugs which have (possible) security implications.
> > > >
> > > > This email addr is backed by an invitation only, private
> > > > archive, mailing list. The intent is for the list membership
> > > > to comprise a subset of the libvirt core team, along with any
> > > > vendor security team engineers who wish to participate in a
> > > > responsible disclosure process for libvirt. Members of the
> > > > list will be responsible for analysing the problem to determine
> > > > if a security issue exists and then issue fixes for all current
> > > > official stable branches & git master.
> > > >
> > > > I am proposing the following libvirt core team people as
> > > > members of the security team / list (all cc'd):
> > > >
> > > >    Daniel Berrange (Red Hat)
> > > >    Eric Blake (Red Hat)
> > > >    Jiri Denemar (Red Hat)
> > > >    Daniel Veillard (Red Hat)
> > > >    Jim Fehlig (SUSE)
> > > >    Doug Goldstein (Gentoo)
> > > >    Guido Günther (Debian)
> > > >
> > > > We don't have anyone from Ubuntu on the libvirt core team.
> > > > Serge Hallyn is the most frequent submitter of patches from
> > > > Ubuntu in recent history, so I'd like to invite him to join.
> > > > Alternatively, Serge, feel free to suggest someone else to
> > > > represent Ubuntu's interests.
> > >
> > > Is it worth adding any BSD representation? Roman Bogorodskiy might be
> > > the best candidate on that front.
> >
> > Yep, meant to mention that. I was not sure whether any *BSD is actually
> > distributing formal libvirt packages to users yet, or if they're still
> > just at the code porting stage. Roman, what's the status of the FreeBSD
> > port / packaging effort from your POV ?
>
> FreeBSD has libvirt port:
>
> http://www.freshports.org/devel/libvirt/
>
> It is maintained by Jason Helfman (CCed), so I think he's more
> appropriate person for such kind of things. From my side, I'd
> be happy to help also.
>
> Roman Bogorodskiy
>

Packages are supplied to users as part of our standard package distribution
sets for releases and standard updates of our package sets.
It has been distributed as a package since it was committed to the FreeBSD
ports tree.

-jgh

--
Jason Helfman          | FreeBSD Committer
jgh at FreeBSD.org     | http://people.freebsd.org/~jgh  | The Power to Serve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130616/d0f7defb/attachment-0001.htm>

More information about the libvir-list mailing list