[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security support scope (apropos of Xen and CNA)

At 13:53 +0100 on 04 May (1493905990), Ian Jackson wrote:
> To become a CNA (CVE Numbering Authority), which we would like to do,
> we need to provide MITRE's CNA programme with a definition of the
> scope of our CNA.  That should be the scope of our general security
> support, clearly.
> At the moment we don't seem to have this written down in a single
> clear document.  I am aware of the following places which can contain
> information about security support (normally, in the form of
> statements saying that certain things are not supported):
>  * https://wiki.xenproject.org/wiki/Xen_Project_Release_Features has a
>    table of versions with security support, and information about some
>    features.
>  * xen.git:docs/misc/qemu-xen-security, limits security support to
>    some configurations.
>  * xen.git:MAINTAINERS might in principle have a status not implying
>    security support.
>  * Docs for an individual feature (eg in xl docs) might say that the
>    feature is not advised, or not supported, or something.
>  * Previous XSA advisories might withdraw support.
> This diversity of information sources is rather unsatisfactory.
> I think we need to at least reduce the number of different information
> sources.  Also we need an overview document which points to them all.
> Where should this overview document be ?  Which of the above sources
> should be coalesced into which others ?

IMO the overview should on the main xenproject.org site, ideally in
the security process preamble, or beside it if it gets too long.

It should read something like this:

 - Security support is provided for the following versions:
   [List of versions, + an item on the release checklist to update it.]

 - Only features listed as Supported in MAINTAINERS get support.

 - Specific exemptions:
   [ move qemu-xen-security here, and delete it from the tree ]
   [ brief summary of XSA-77 + a link for details. ] 
   [ anything else?  I don't think we need to explicitly call out to
     docs for individual features, but there might be some things
     to mention here, e.g. DMA attacks with IOMMU disabled. ]

Not sure about the Xen_Project_Release_Features wiki page -- it's nice
to have all that info + historical versions in one place; on the
other hand it's not the canonical source for most of it and risks
getting out of date.  Maybe it needs an introduction pointing out
that MAINTAINERS and the new security scope doc are the official sources.



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.