On a Wednesday in 2026, Daniel P. Berrangé via Devel wrote:
The QEMU project has just changed to use GitLab confidential issues
for security disclosures.

 https://www.qemu.org/contribute/security-process/

While libvirt isn't (yet) suffering the same massive AI powered bug
tsunami, I'm not seeing an especially compelling reason to continue
using email for security disclosures with such limited need-to-know
practices.


I did not follow the QEMU discussion leading up to this, but I think
you're mixing up two arguments here - no longer using e-mail and
disclosing it to a wider audience.

While using GitLab theoretically exposes us to greater risk of
exposure via the GitLab's own staff / infra compromise, in practice
they likely do a better job securing their infra than we do for
our mailman install. Submissions are also guaranteed TLS protection
which we can't so confidently assume for email.

We don't tend to apply any long embargo times. Our maintainers are
all trusted with commit access to libvirt.git, so from a trust POV
I feel it acceptable to have scurity disclosures visible to all of
them instead of restricted to a handful of maintainers.


Agreed.

The security list has  a handful of people from the distro present
who in theory can watch it for early access to disclosures. I'm
not sure if that makes a difference in practice though, especially
with all the distros suffering an AI bug tsunami leading to greatly
extended fix times.


Aren't they libvirt maintainers already?

IOW, overall a lighter weight process using GitLab confidential
issues feels like it should be sufficient for libvirt too.


I'm indifferent to the switch to GitLab, but I don't consider it anymore
lightweight than e-mail. Do you have a link to the QEMU discussion?

Jano

Attachment: signature.asc
Description: PGP signature

Reply via email to