Commit Graph

11 Commits

Author SHA1 Message Date
Daniel P. Berrange
49e6a16f82 Document security reporting & handling process
Historically security issues in libvirt have been primarily
triaged & fixed by the Red Hat libvirt members & Red Hat
security team, who then usually notify other vendors via
appropriate channels. There have been a number of times
when vendors have not been properly notified ahead of
announcement. It has also disadvantaged community members
who have to backport fixes to releases for which there are
no current libvirt stable branches.

To address this, we want to make the libvirt security process
entirely community focused / driven. To this end I have setup
a new email address "libvirt-security@redhat.com" for end
users to report bugs which have (possible) security implications.

This email addr is backed by an invitation only, private
archive, mailing list. The intent is for the list membership
to comprise a subset of the libvirt core team, along with any
vendor security team engineers who wish to participate in a
responsible disclosure process for libvirt. Members of the
list will be responsible for analysing the problem to determine
if a security issue exists and then issue fixes for all current
official stable branches & git master.

I am proposing the following libvirt core team people as
members of the security team / list (all cc'd):

   Daniel Berrange (Red Hat)
   Eric Blake (Red Hat)
   Jiri Denemar (Red Hat)
   Daniel Veillard (Red Hat)
   Jim Fehlig (SUSE)
   Doug Goldstein (Gentoo)
   Guido Günther (Debian)

We don't have anyone from Ubuntu on the libvirt core team.
Serge Hallyn is the most frequent submitter of patches from
Ubuntu in recent history, so I'd like to invite him to join.
Alternatively, Serge, feel free to suggest someone else to
represent Ubuntu's interests.

If any other vendors/distros have security people who are
responsible for dealing with libvirt security issues, and
want to join to get early disclosure of issues, they can
suggest people. Existing security team members will vet /
approve such requests to ensure they are genuine.

Anyone on the team / list will be **required** to honour any
embargo period agreed between members for non-public issues
that are reported. The aim will be to have a maximum 2 week
embargo period in the common case, extendable to 1 month if
there is sufficient justification made. If anyone feels they
are unable to follow such an embargo process for whatever
reason, please decline membership of the security list/team.

The patch which follows puts up some docs on the website
about all of this....

Document how to report security bugs and the process that
will be used for addressing them.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-01 11:08:58 +08:00
Daniel P. Berrange
f2f9742d4d Fix multiple formatting problems in HTML docs
The rule generating the HTML docs passing the --html flag
to xsltproc. This makes it use the legacy HTML parser, which
either ignores or tries to fix all sorts of broken XML tags.
There's no reason why we should be writing broken XML in
the first place, so removing --html and adding the XHTML
doctype to all files forces us to create good XML.

This adds the XHTML doc type and fixes many, many XML tag
problems it exposes.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-03 15:56:15 +01:00
Yuri Chornoivan
66d811293a Fix some typos in messages, docs and comments. 2012-08-22 15:34:07 -06:00
Dave Allan
751fec3557 Update bug reporting page
Remove suggestion that people file bugs against RHEL 5 and add a
suggestion that people increase the visibility of their bugs by
mentioning them on libvir-list.
2012-02-23 16:02:33 -07:00
Daniel Veillard
dc844b9078 Augment bug reporting documentation
With some instruction on how to attach useful gdb backtraces
2010-11-10 13:16:37 +01:00
Justin Clift
1354b603ae docs: added a table of contents to the first 11 docs files
There are a 58 docs files, so adding an autogenerated Table Of
Contents to them all will take some time.  This is the first
piece of the work done.
2010-10-27 15:01:45 +11:00
Matthias Bolte
728e9229b1 Replace old CVS references with GIT 2010-01-08 18:08:22 +01:00
Matthew Booth
c6d5ac174e Cleanup whitespace in docs
This patch is the result of running the following command in the docs
directory: sed -i 's/\t/        /g; s/\s*$//' *.html.in

* docs/*.html.in:convert tabs into 8 spaces and remove trailing whitespace
2009-11-06 16:05:18 +01:00
Garry Dolley
a90629aa13 Update the links for RHEL libvirt bugzillas 2009-07-15 11:46:52 +02:00
Garry Dolley
f19fdbba22 Update links to bugzilla
* docs/bugs.html[.in]: general tickets are under the 'Virtualization
  Tools' product category and Fedora specific tickets are under the
  'Fedora' product category.
2009-07-13 10:31:24 +02:00
Daniel P. Berrange
9092c3d491 Split website out into one file per page. APply new layout and styling 2008-04-23 17:08:31 +00:00