[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Consensus in Parallel Universe Responses to Spectre/Meltdown

To: Rich Persaud <persaur@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Thu, 11 Jan 2018 11:13:48 +0000
Cc: Anthony Liguori <anthony@xxxxxxxxxxxxx>, DougGoldstein <cardoe@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Anthony Liguori <aliguori@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, "security@xxxxxxx" <security@xxxxxxx>, Committers <committers@xxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
Delivery-date: Thu, 11 Jan 2018 11:14:01 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01/11/2018 03:38 AM, Rich Persaud wrote:
> Across the computer industry, it is clear that a small subset of specialists 
> have known about this issue for some time:  developers who worked on 
> candidate fixes ahead of the public announcement, experts who warned about 
> microarchitecture risks years ago, and any adversaries who acted on their 
> warnings.  Some people had advance information & time to consider candidate 
> solutions, most [1] of the world did not.
> 
> As a customer of $HW_vendor / Xen / $OS_vendor / $APP_vendor, the last thing 
> I want to hear is that world-class specialists who have had weeks/months to 
> evaluate candidate fixes have been unable to reach agreement and propose to 
> delegate the decision TO CUSTOMERS (?!)  That would be customers with only 
> days of exposure to the CVE details, who still have to keep their regular 
> business running, while trying to understand a complex security issue that 
> eluded experts for decades.

I hope I'm not saying too much to say this: Those who knew about this
were not working according to the normal XenProject Security Team rules;
in fact the XenProject Security Team as such was only officially told on
3 January (the same day the issue went public).  Those who knew were
working under NDA and sharing of information was severely restricted,
*even on people in the same team at the same organization*.

In the week that we've been able to openly discuss it, we've already
come up with a large number of much better ideas than the people "in the
know" were able to come up with crippled by a lack of ability to
communicate.

I'm sure I speak for a number of people when I say that we're just as
unhappy with that situation as you are.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] Consensus in Parallel Universe Responses to Spectre/Meltdown
  - From: Rich Persaud

Prev by Date: [Xen-devel] [distros-debian-wheezy test] 74248: trouble: blocked/broken
Next by Date: Re: [Xen-devel] PVH backports to 4.9 and 4.8
Previous by thread: Re: [Xen-devel] Consensus in Parallel Universe Responses to Spectre/Meltdown
Next by thread: [Xen-devel] [qemu-upstream-4.10-testing test] 117761: regressions - FAIL
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.