[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Is:livepatch-build-tools.git declare it supported? Was:Re: [PATCH for-4.9] livepatch: Declare live patching as a supported feature

On Tue, Aug 22, 2017 at 11:58:57AM +0100, George Dunlap wrote:
> I think guest OS support is actually a pretty good analog.  I can't
> imagine not issuing XSAs for bugs in Linux, just as I can't imagine
> not issuing XSAs for actual security issues that get found in the
> livepatch tools.  If you think we shouldn't give security support for
> Linux, it makes sense that you would feel the same way for
> livepatch-tools (although I don't really understand why you think that
> way about either).
> We issue more XSAs for Linux than for other guests, in part because of
> the complexity of the code inside Linux compared to other OSes; but
> also in part due to the fact that that is the most tested and
> looked-at.  There probably *are* more bugs in Linux than in NetBSD or
> FreeBSD; but also more of them are found because more people are
> testing and looking.

IMHO, we issue XSA for Linux because Linux lacks a security process.
If a bug was found in the BSDs, it should be handled using the normal
security process that each BSD has, and a SA would be issued by the
security officer:


For example NetBSD has recently released a SA for a Xen-specific
PV vulnerability in their implementation:



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.