[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Consensus in Parallel Universe Responses to Spectre/Meltdown

On 01/11/2018 03:38 AM, Rich Persaud wrote:
> Across the computer industry, it is clear that a small subset of specialists 
> have known about this issue for some time:  developers who worked on 
> candidate fixes ahead of the public announcement, experts who warned about 
> microarchitecture risks years ago, and any adversaries who acted on their 
> warnings.  Some people had advance information & time to consider candidate 
> solutions, most [1] of the world did not.
> As a customer of $HW_vendor / Xen / $OS_vendor / $APP_vendor, the last thing 
> I want to hear is that world-class specialists who have had weeks/months to 
> evaluate candidate fixes have been unable to reach agreement and propose to 
> delegate the decision TO CUSTOMERS (?!)  That would be customers with only 
> days of exposure to the CVE details, who still have to keep their regular 
> business running, while trying to understand a complex security issue that 
> eluded experts for decades.

I hope I'm not saying too much to say this: Those who knew about this
were not working according to the normal XenProject Security Team rules;
in fact the XenProject Security Team as such was only officially told on
3 January (the same day the issue went public).  Those who knew were
working under NDA and sharing of information was severely restricted,
*even on people in the same team at the same organization*.

In the week that we've been able to openly discuss it, we've already
come up with a large number of much better ideas than the people "in the
know" were able to come up with crippled by a lack of ability to

I'm sure I speak for a number of people when I say that we're just as
unhappy with that situation as you are.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.