[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process

To: Franz <169101@xxxxxxxxx>
From: Wojtek Porczyk <woju@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 9 Nov 2015 19:15:52 +0100
Cc: xen-devel@xxxxxxxxxxxxx, Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, "qubes-devel@xxxxxxxxxxxxxxxx" <qubes-devel@xxxxxxxxxxxxxxxx>
Delivery-date: Tue, 10 Nov 2015 06:42:11 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>
Mail-followup-to: Franz <169101@xxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>, "qubes-devel@xxxxxxxxxxxxxxxx" <qubes-devel@xxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

On Mon, Nov 09, 2015 at 04:31:58PM +0000, Franz wrote:
> Perhaps a way out of this impasse is to put bounties on Xen security tasks
> identified by Joanna and properly advertise these bounties to Xen users.
> [snip]

This is fundamentaly wrong idea. Security isn't something you can
"apply" or put bounty on. It's a state of the mind, especcialy
developer's. Joanna wrote in her mail:

> > > I can't help but have a feeling that some of the Xen developers seem to be
> > > overconfident in their belief they can fully understand all the possible
> > > execution paths in their code. Well, the XSAs quoted above are an 
> > > indisputable
> > > prove that this is not quite always the case. Realizing that, each 
> > > developer by
> > > themselves, might be a great step towards a more secure hypervisor...

And that's why we can't just "submit a patch" to "contribute security".
There is something wrong with Xen as a whole project, but that something
isn't the code. There is a mindset to be fixed.

-- 
regards,                        _.-._
Wojtek Porczyk               .-^'   '^-.
Invisible Things Lab         |'-.-^-.-'|
                             |  |   |  |
 I do not fear computers,    |  '-.-'  |
 I fear lack of them.        '-._ :  ,-'
    -- Isaac Asimov             `^-^-_>

Attachment: pgprNKrQ0vVV8.pgp
Description: PGP signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process
  - From: Lars Kurth

References:
- [Xen-devel] Critique of the Xen Security Process
  - From: Joanna Rutkowska
- Re: [Xen-devel] Critique of the Xen Security Process
  - From: Jan Beulich
- Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process
  - From: Franz

Prev by Date: Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process
Next by Date: Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process
Previous by thread: Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process
Next by thread: Re: [Xen-devel] [qubes-devel] Re: Critique of the Xen Security Process
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.