[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security support scope (apropos of Xen and CNA)



> On 5 May 2017, at 09:43, Tim Deegan <tim@xxxxxxx> wrote:
> 
> At 13:53 +0100 on 04 May (1493905990), Ian Jackson wrote:
>> To become a CNA (CVE Numbering Authority), which we would like to do,
>> we need to provide MITRE's CNA programme with a definition of the
>> scope of our CNA.  That should be the scope of our general security
>> support, clearly.
>> 
>> At the moment we don't seem to have this written down in a single
>> clear document.  I am aware of the following places which can contain
>> information about security support (normally, in the form of
>> statements saying that certain things are not supported):
>> 
>> * https://wiki.xenproject.org/wiki/Xen_Project_Release_Features has a
>>   table of versions with security support, and information about some
>>   features.
>> 
>> * xen.git:docs/misc/qemu-xen-security, limits security support to
>>   some configurations.
>> 
>> * xen.git:MAINTAINERS might in principle have a status not implying
>>   security support.
>> 
>> * Docs for an individual feature (eg in xl docs) might say that the
>>   feature is not advised, or not supported, or something.
>> 
>> * Previous XSA advisories might withdraw support.
>> 
>> This diversity of information sources is rather unsatisfactory.
>> 
>> I think we need to at least reduce the number of different information
>> sources.  Also we need an overview document which points to them all.
>> 
>> Where should this overview document be ?  Which of the above sources
>> should be coalesced into which others ?
> 
> IMO the overview should on the main xenproject.org site, ideally in
> the security process preamble, or beside it if it gets too long.

I am happy with that

> It should read something like this:
> 
> - Security support is provided for the following versions:
>   [List of versions, + an item on the release checklist to update it.]

A bit more work, but can be done

> - Only features listed as Supported in MAINTAINERS get support.

This seems related to George's proposal of the scope. I am not sure MAINTAINERS 
is correct though (e.g. live-patching is probably listed as Supported but does 
not get security support)

> - Specific exemptions:
>   [ move qemu-xen-security here, and delete it from the tree ]
>   [ brief summary of XSA-77 + a link for details. ] 
>   [ anything else?  I don't think we need to explicitly call out to
>     docs for individual features, but there might be some things
>     to mention here, e.g. DMA attacks with IOMMU disabled. ]
> 
> Not sure about the Xen_Project_Release_Features wiki page -- it's nice
> to have all that info + historical versions in one place; on the
> other hand it's not the canonical source for most of it and risks
> getting out of date.  Maybe it needs an introduction pointing out
> that MAINTAINERS and the new security scope doc are the official sources.

Also everyone can edit it. To be honest, if we need to make changes frequently, 
we should probably maintain this in-tree. 

Lars


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.