On Mon, 14 Sep 2020 at 09:55, Daniel P. Berrangé <berra...@redhat.com> wrote: > Do we think the current QEMU security process is working well for the > community as a whole in terms of our downstream consumers learning about > security flaws in an appropriate timeframe and manner ?
That sounds like a question we should be asking our distro contacts, not guessing at amongst ourselves :-) Personally, my view is that our current security process is absolutely useless for anybody who isn't either (a) a distro (b) using their distro's packaged QEMU (c) big enough to effectively be acting as their own distro by tracking CVE announcements and applying patches by hand -- because we don't produce timely new upstream releases with security fixes. So unless we want to change that, I think the key question is "does this process work for the distros?", and I'm happy if we make adjustments to fix whatever their problems with it might be. thanks -- PMM