security at ovirt.org mailing list

David Jorm djorm at redhat.com
Thu Nov 10 03:59:46 UTC 2011


> Often projects have a security@ private list w/ just key core developers
> subscribed.  I'm not fundamentally opposed to secalert being subscribed,
> but it does set a precedent that distros' security teams may expect to
> be involved rather than notified via somehting like oss-security.

Subscribing secalert allows us to handle reported issues in-confidence or under embargo. When security researchers who are practising responsible disclosure report issues, they often want the issue handled under embargo so that they can synchronize their own publication of the flaw with the release of a patch. There's no reason in my view that other distros' security teams can't be involved too, if they can handle issues under embargo. oss-security is publicly archived, so issues sent there can't be kept under embargo.

Red Hat SRT has a set of tools that allow us to file tracking bugs for all versions of a product affected by a given flaw. Since most ovirt projects so far are using bugzilla, we can use these tools to file tracking bugs against the ovirt projects. By giving the direct feed of information to secalert, the ovirt projects will be getting triage and bug filing back, for free.

Thanks
David



More information about the Board mailing list