Re: [Xen-devel] Xen 4.1.x security support

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 17.09.13 at 19:38, Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx> 
>>> wrote:
> On 09/17/13 08:47, Jan Beulich wrote:
>>>>> On 17.09.13 at 00:01, Marek 
>>>>> Marczykowski-GÃrecki<marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>>> 4.1.6.1 was announced as the last 4.1.x release. Does it mean that further
>>> XSAs will not carry patches for 4.1?
>> 
>> That's the way I view it, but that doesn't mean it has to be that way.
>> 
> 
> That would be rather unfortunate. E.g. we're planning to stick to Xen
> 4.1 for our Qubes R2 release. There are some problems with Xen 4.2 such
> as the GPLPV Windows drivers not working with it correctly.
> 
> I could imagine that it should not be very costly for xen.org to
> backport each XSA patch to 4.1, should it?

Depends - there are cases (XSA-52, -53, and -55 for example)
where the backport is not straightforward. And doing backports
in the trivial cases, but not in the non-trivial ones would be sort
of odd.

That said, for the next few months at least we (SUSE) will need to
do backports to 4.1 too. But it's not clear to me whether it would
be sending the right sign if we were to include these in advisories
- after all, from a xen.org perspective we _want_ people to
recognize that dead trees are dead (unless someone steps up to
continue maintaining them, in which case it would also be that
someone to create the respective security fix backports, or at
least coordinate this between the parties doing such backports
anyway).

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel