Re: [Xen-devel] Is:livepatch-build-tools.git declare it supported? Was:Re: [PATCH for-4.9] livepatch: Declare live patching as a supported feature

[Roger Pau Monné <roger.pau@xxxxxxxxxx>]

On Tue, Aug 22, 2017 at 11:58:57AM +0100, George Dunlap wrote:
> I think guest OS support is actually a pretty good analog.  I can't
> imagine not issuing XSAs for bugs in Linux, just as I can't imagine
> not issuing XSAs for actual security issues that get found in the
> livepatch tools.  If you think we shouldn't give security support for
> Linux, it makes sense that you would feel the same way for
> livepatch-tools (although I don't really understand why you think that
> way about either).
> 
> We issue more XSAs for Linux than for other guests, in part because of
> the complexity of the code inside Linux compared to other OSes; but
> also in part due to the fact that that is the most tested and
> looked-at.  There probably *are* more bugs in Linux than in NetBSD or
> FreeBSD; but also more of them are found because more people are
> testing and looking.

IMHO, we issue XSA for Linux because Linux lacks a security process.
If a bug was found in the BSDs, it should be handled using the normal
security process that each BSD has, and a SA would be issued by the
security officer:

https://www.freebsd.org/security/advisories.html

For example NetBSD has recently released a SA for a Xen-specific
PV vulnerability in their implementation:

ftp://ftp.nl.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-003.txt.asc

Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel