Xen project Mailing List

Re: Regressed XSA-286, was [xen-unstable test] 161917: regressions - FAIL

From: Ian Jackson <iwj@xxxxxxxxxxxxxx>

Date: Thu, 17 Jun 2021 14:05:28 +0100

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "committers\@xenproject.org" <committers@xxxxxxxxxxxxxx>

Delivery-date: Thu, 17 Jun 2021 13:05:36 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Firstly, let me try to deal with substance and/or technical merit. Jan, I am finding it difficult to follow in your message whether you are asserting that your disputed change (to Xen) did not introduce a vulnerability. I think you are saying that there is no vulnerability, because in any overall configuration where this is a vulnerability, the guest would have to be making an unjustified assumption. If this is your reasoning, I don't think it is sound. The question is not whether the assumption is justified or not (answering which question seems to require nigh-incomprehensible exegesis of processor documentation). The question is whether any guest does in fact make that assumption. If any do, then there is a vulnerability. Whether that's a vulnerability "in" Xen or "in" the guest is just a question of finger-pointing. If none do then there is no vulnerability. On to process: Jan Beulich writes ("Re: Regressed XSA-286, was [xen-unstable test] 161917: regressions - FAIL"): > On 16.06.2021 17:43, Andrew Cooper wrote: > > I am very irritated that you have *twice* recently introduced security > > vulnerabilities by bypassing my reviews/objections on patches. > > I'm sorry, Andrew, but already in my original reply a month ago I did > express that I couldn't find any record of you having objected to the > changes. It doesn't help that you claim you've objected when you > really didn't (which is the impression I get from not finding anything, > and which also matches my recollection of what was discussed). Andrew, can you provide references to your objections ? > I don't think I know which 2nd instance you're referring to, and hence > I can't respond to that aspect. And, likewise, references for this. > > In the case of this revert specifically, I did get agreement on IRC > > before reverting. > > How can I know you did? You didn't even care to reply to my mail from > a month ago. And there was no reason to make an emergency out of this > and ask on irc. You could have sent mail just like is done for all > other normal bug fixes etc. Iirc I was on PTO at that time; it would > hence only have been fair to wait until my return. I think it would be good practice to copy and paste relevant IRC discussions into email in this kind of situation. That email also makes space to properly write down what you are doing, that you realise it is controversial, who you have consulted, and why you are going ahead. I looked at one of the two disputed reverts in Xen, cb199cc7de987cfda4659fccf51059f210f6ad34, and it does not have any tags indicating approval by anyone else. Andy, if you got agreement on IRC, who from ? [1] Ian. [1] This may well have included me. I do not reliably record this kind of information in my wetware. That is what we have computers for.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.