security at ovirt.org mailing list
Chris Wright
chrisw at redhat.com
Wed Nov 9 06:38:31 UTC 2011
* David Jorm (djorm at redhat.com) wrote:
> Hi All
>
> I would like to create a security at ovirt.org mailing list. The list would be used to capture reports of security flaws affecting projects under the oVirt umbrella, not for general security discussion. I would then like to create a security page on the wiki, mentioning this list and encouraging people to report flaws. The list should be private, with approval required to subscribe. I would like one of the initial subscribers to be secalert at redhat.com. All messages sent to this address result in an RT ticket in the Red Hat Security Response Team (SRT) queue. SRT looks at all of these tickets within one business day.
>
> What does everyone think of this idea?
Formalizing something re: security and ovirt is a great idea, thanks for
proposing. Two thoughts on the topic...
Often projects have a security@ private list w/ just key core developers
subscribed. I'm not fundamentally opposed to secalert being subscribed,
but it does set a precedent that distros' security teams may expect to
be involved rather than notified via somehting like oss-security.
The other thing to consider is that ovirt is an umbrella organization for
multiple projects. It's possible that each project should have a security
contact of its own, e.g. do VDSM, webui, or ovirt node developers need
to be on a private list discussing ovirt-engine security vulnerabilities
(from the point of view of information leak concerns)?
thanks,
-chris
More information about the Board
mailing list