Re: security@ovirt.org mailing list
Often projects have a security@ private list w/ just key core
developers
subscribed. I'm not fundamentally opposed to secalert being subscribed,
but it does set a precedent that distros' security teams may expect to
be involved rather than notified via somehting like oss-security.
Subscribing secalert allows us to handle reported issues in-confidence or under embargo.
When security researchers who are practising responsible disclosure report issues, they
often want the issue handled under embargo so that they can synchronize their own
publication of the flaw with the release of a patch. There's no reason in my view that
other distros' security teams can't be involved too, if they can handle issues
under embargo. oss-security is publicly archived, so issues sent there can't be kept
under embargo.
Red Hat SRT has a set of tools that allow us to file tracking bugs for all versions of a
product affected by a given flaw. Since most ovirt projects so far are using bugzilla, we
can use these tools to file tracking bugs against the ovirt projects. By giving the direct
feed of information to secalert, the ovirt projects will be getting triage and bug filing
back, for free.
Thanks
David