[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process
On Mon, Nov 09, 2015 at 04:31:58PM +0000, Franz wrote: > Perhaps a way out of this impasse is to put bounties on Xen security tasks > identified by Joanna and properly advertise these bounties to Xen users. > [snip] This is fundamentaly wrong idea. Security isn't something you can "apply" or put bounty on. It's a state of the mind, especcialy developer's. Joanna wrote in her mail: > > > I can't help but have a feeling that some of the Xen developers seem to be > > > overconfident in their belief they can fully understand all the possible > > > execution paths in their code. Well, the XSAs quoted above are an > > > indisputable > > > prove that this is not quite always the case. Realizing that, each > > > developer by > > > themselves, might be a great step towards a more secure hypervisor... And that's why we can't just "submit a patch" to "contribute security". There is something wrong with Xen as a whole project, but that something isn't the code. There is a mindset to be fixed. -- regards, _.-._ Wojtek Porczyk .-^' '^-. Invisible Things Lab |'-.-^-.-'| | | | | I do not fear computers, | '-.-' | I fear lack of them. '-._ : ,-' -- Isaac Asimov `^-^-_> Attachment:
pgprNKrQ0vVV8.pgp _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |