libvirt/docs/contact.html.in

117 lines
4.2 KiB
HTML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<h1>Contacting the project contributors</h1>
<ul id="toc"></ul>
<h2><a id="security">Security Issues</a></h2>
Document security reporting & handling process Historically security issues in libvirt have been primarily triaged & fixed by the Red Hat libvirt members & Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address "libvirt-security@redhat.com" for end users to report bugs which have (possible) security implications. This email addr is backed by an invitation only, private archive, mailing list. The intent is for the list membership to comprise a subset of the libvirt core team, along with any vendor security team engineers who wish to participate in a responsible disclosure process for libvirt. Members of the list will be responsible for analysing the problem to determine if a security issue exists and then issue fixes for all current official stable branches & git master. I am proposing the following libvirt core team people as members of the security team / list (all cc'd): Daniel Berrange (Red Hat) Eric Blake (Red Hat) Jiri Denemar (Red Hat) Daniel Veillard (Red Hat) Jim Fehlig (SUSE) Doug Goldstein (Gentoo) Guido Günther (Debian) We don't have anyone from Ubuntu on the libvirt core team. Serge Hallyn is the most frequent submitter of patches from Ubuntu in recent history, so I'd like to invite him to join. Alternatively, Serge, feel free to suggest someone else to represent Ubuntu's interests. If any other vendors/distros have security people who are responsible for dealing with libvirt security issues, and want to join to get early disclosure of issues, they can suggest people. Existing security team members will vet / approve such requests to ensure they are genuine. Anyone on the team / list will be **required** to honour any embargo period agreed between members for non-public issues that are reported. The aim will be to have a maximum 2 week embargo period in the common case, extendable to 1 month if there is sufficient justification made. If anyone feels they are unable to follow such an embargo process for whatever reason, please decline membership of the security list/team. The patch which follows puts up some docs on the website about all of this.... Document how to report security bugs and the process that will be used for addressing them. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-04 10:06:01 +00:00
<p>
If you think that an issue with libvirt may have security
implications, <strong>please do not</strong> publicly
Document security reporting & handling process Historically security issues in libvirt have been primarily triaged & fixed by the Red Hat libvirt members & Red Hat security team, who then usually notify other vendors via appropriate channels. There have been a number of times when vendors have not been properly notified ahead of announcement. It has also disadvantaged community members who have to backport fixes to releases for which there are no current libvirt stable branches. To address this, we want to make the libvirt security process entirely community focused / driven. To this end I have setup a new email address "libvirt-security@redhat.com" for end users to report bugs which have (possible) security implications. This email addr is backed by an invitation only, private archive, mailing list. The intent is for the list membership to comprise a subset of the libvirt core team, along with any vendor security team engineers who wish to participate in a responsible disclosure process for libvirt. Members of the list will be responsible for analysing the problem to determine if a security issue exists and then issue fixes for all current official stable branches & git master. I am proposing the following libvirt core team people as members of the security team / list (all cc'd): Daniel Berrange (Red Hat) Eric Blake (Red Hat) Jiri Denemar (Red Hat) Daniel Veillard (Red Hat) Jim Fehlig (SUSE) Doug Goldstein (Gentoo) Guido Günther (Debian) We don't have anyone from Ubuntu on the libvirt core team. Serge Hallyn is the most frequent submitter of patches from Ubuntu in recent history, so I'd like to invite him to join. Alternatively, Serge, feel free to suggest someone else to represent Ubuntu's interests. If any other vendors/distros have security people who are responsible for dealing with libvirt security issues, and want to join to get early disclosure of issues, they can suggest people. Existing security team members will vet / approve such requests to ensure they are genuine. Anyone on the team / list will be **required** to honour any embargo period agreed between members for non-public issues that are reported. The aim will be to have a maximum 2 week embargo period in the common case, extendable to 1 month if there is sufficient justification made. If anyone feels they are unable to follow such an embargo process for whatever reason, please decline membership of the security list/team. The patch which follows puts up some docs on the website about all of this.... Document how to report security bugs and the process that will be used for addressing them. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-06-04 10:06:01 +00:00
report it in the bug tracker, mailing lists, or irc. Libvirt
has <a href="securityprocess.html">a dedicated process for handling (potential) security issues</a>
that should be used instead. So if your issue has security
implications, ignore the rest of this page and follow the
<a href="securityprocess.html">security process</a> instead.
</p>
<h2><a id="email">Mailing lists</a></h2>
<p>
There are three mailing-lists:
</p>
<dl class="mail">
<dt><a href="https://www.redhat.com/mailman/listinfo/libvir-list">libvir-list@redhat.com</a> (for development)</dt>
<dd>
Archives at <a href="https://www.redhat.com/archives/libvir-list">https://www.redhat.com/archives/libvir-list</a>
</dd>
<dd>
This is a high volume mailing list. It is a place for discussions
about the <strong>development</strong> of libvirt.
</dd>
<dd>
Topics for discussion include:
<ul>
<li>New features for libvirt</li>
<li>Bug fixing of libvirt</li>
<li>New hypervisor drivers</li>
<li>Development of language bindings for libvirt API</li>
<li>Testing and documentation of libvirt</li>
</ul>
</dd>
<dt><a href="https://www.redhat.com/mailman/listinfo/libvirt-users">libvirt-users@redhat.com</a> (for users)</dt>
<dd>
Archives at <a href="https://www.redhat.com/archives/libvirt-users">https://www.redhat.com/archives/libvirt-users</a>
</dd>
<dd>
This is a moderate volume mailing list. It is a place for discussions
involving libvirt <strong>users</strong>.
</dd>
<dd>
Topics for discussion include:
<ul>
<li>Usage of libvirt / virsh</li>
<li>Administration of libvirt</li>
<li>Deployment of libvirt with hypervisors</li>
<li>Development of applications on top of / using the libvirt API(s)</li>
<li>Any other topics along these lines</li>
</ul>
</dd>
<dt><a href="https://www.redhat.com/mailman/listinfo/libvirt-announce">libvirt-announce@redhat.com</a> (for release notices)</dt>
<dd>
Archives at <a href="https://www.redhat.com/archives/libvirt-announce">https://www.redhat.com/archives/libvirt-announce</a>
</dd>
<dd>
This is a low volume mailing list, with restricted posting, for
announcements of new libvirt releases.
</dd>
<dd>
Subscribe to just this if you want to be notified of new releases,
without subscribing to either of the other mailing lists.
</dd>
</dl>
<p>
It is recommended but not required that you subscribe before posting
to the user and development lists. Posts from non-subscribers will be
subject to manual moderation delays. You can subscribe at the linked
web pages above.
</p>
<p>
Patches with explanations and provided as attachments are really
appreciated, and should be directed to the development mailing list
for review and discussion.
Wherever possible, please generate the patches by using
<code>git format-patch</code> in a git repository clone. Further
useful information regarding developing libvirt and/or contributing is
available on our <a href="hacking.html">Contributor Guidelines</a>
page.
</p>
<h2><a id="irc">IRC discussion</a></h2>
<p>
Some of the libvirt developers may be found on IRC on the <a href="http://oftc.net">OFTC IRC</a>
network. Use the settings:
</p>
<ul>
<li>server: irc.oftc.net</li>
<li>port: 6667 (the usual IRC port)</li>
<li>channel: #virt</li>
</ul>
<p>
NB There is no guarantee that someone will be watching or able to reply
promptly, so use the mailing-list if you don't get an answer on the IRC
channel.
</p>
</body>
</html>