[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen Project Security Whitepaper v1 is ready for community review



On 2018-05-22 20:52, Steven Haigh wrote:
On Tuesday, 22 May 2018 8:11:38 PM AEST Jan Beulich wrote:
>>> On 18.05.18 at 19:53, <marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> Alternative workaround for this would be more frequent point releases by
> default (maybe with ability to delay it very few commits are queued).
> For example every 3 months. It wouldn't solve all the cases, but I think
> will make it easier most of the time.

Is every 3 months so much better than every 4 months? Granted we
basically never manage to make it exactly 4 months, but on the average
I think we're not too far off.

I think the big thing is reducing the delta between the staging branch and the release. I can only assume that would reduce the number of issues that occur with patching vs release tarballs - hopefully making the security teams job a
little easier.

That being said, if an approach of releasing a new build when we come across broken patch sets for XSAs (like the current 4.9.1 vs XSAs, and prior 4.10.0
vs XSAs), then I think this part becomes irrelevant.

As another example for this, the patches for XSA263 do not apply to *any* released tarball version of Xen.

So far, the patches included with the announcement fail on 4.6, 4.7, 4.9 and 4.10.

I can only assume that this means all the XSA patches require commits that are currently in various staging git trees that have not been released in any formal manner via a point release.

--
Steven Haigh

? netwiz@xxxxxxxxx     ? https://www.crc.id.au
? +61 (3) 9001 6090    ? 0412 935 897

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.