[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Critique of the Xen Security Process
On Fri, 6 Nov 2015, Joanna Rutkowska wrote: > Can we, the Qubes OS project, or myself personally, help with implementing the > above suggestions? Sadly, no. While some of us do contribute occasional > patches > to Xen (specifically Marek Marczykowski-GÃrecki), we really work for a > different > project and have different tasks and responsibilities. Ian wrote in his blog post: "Ultimately, of course, a Free Software project like Xen is what the whole community makes it. In the project as a whole we get a lot more submissions of new functionality than we get submissions aimed at improving the security". If invisiblethingslab, or other security groups, were among of the top three contributors or reviewers in Xen Project, the community and the code would be different. If somebody submitted a clean patch to disable or remove a functionality because it is not secure, we would consider it. Even better, if somebody reviewed a patch and found security issues with it, she would prevent the patch from getting in in the first place. What doesn't this happen more often? In general, if security is important to many people, why don't we see more security oriented submissions and reviews? Anybody can do reviews! He or she doesn't need to be a maintainer to do them. Open Source software communities are a funnel: https://talesfromthecommunity.wordpress.com/2012/06/16/viewing-communities-as-funnels/ and in particular: https://talesfromthecommunity.files.wordpress.com/2012/06/basicfunnel1.png It seems to me that not enough security aware people are getting past the "customize without contributing back" or "occasionally contributing" stages. Why is that? Don't underestimate the impact that even a single very committed individual can have on a software project. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |