Re: [Xen-devel] Critique of the Xen Security Process

[Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>]

On Fri, 6 Nov 2015, Joanna Rutkowska wrote:
> Can we, the Qubes OS project, or myself personally, help with implementing the
> above suggestions? Sadly, no. While some of us do contribute occasional 
> patches
> to Xen (specifically Marek Marczykowski-GÃrecki), we really work for a 
> different
> project and have different tasks and responsibilities.

Ian wrote in his blog post: "Ultimately, of course, a Free Software
project like Xen is what the whole community makes it. In the project as
a whole we get a lot more submissions of new functionality than we get
submissions aimed at improving the security".

If invisiblethingslab, or other security groups, were among of the top
three contributors or reviewers in Xen Project, the community and the
code would be different.

If somebody submitted a clean patch to disable or remove a functionality
because it is not secure, we would consider it. Even better, if somebody
reviewed a patch and found security issues with it, she would prevent
the patch from getting in in the first place. What doesn't this happen
more often?

In general, if security is important to many people, why don't we see
more security oriented submissions and reviews? Anybody can do reviews!
He or she doesn't need to be a maintainer to do them.


Open Source software communities are a funnel:

https://talesfromthecommunity.wordpress.com/2012/06/16/viewing-communities-as-funnels/

and in particular:

https://talesfromthecommunity.files.wordpress.com/2012/06/basicfunnel1.png

It seems to me that not enough security aware people are getting past
the "customize without contributing back" or "occasionally contributing"
stages. Why is that?

Don't underestimate the impact that even a single very committed
individual can have on a software project.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel