From: Wojtek Porczyk <woju@invisiblethingslab.com>
To: Franz <169101@gmail.com>
Cc: xen-devel@lists.xen.org,
Joanna Rutkowska <joanna@invisiblethingslab.com>,
Jan Beulich <JBeulich@suse.com>,
"qubes-devel@googlegroups.com" <qubes-devel@googlegroups.com>
Subject: Re: [qubes-devel] Re: Critique of the Xen Security Process
Date: Mon, 9 Nov 2015 19:15:52 +0100 [thread overview]
Message-ID: <20151109181552.GA1383@invisiblethingslab.com> (raw)
In-Reply-To: <CAPzH-qDGU8b8N9kBFRiYbQ4VhReJfTEzMXZJom+fWFRuu130oA@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1302 bytes --]
On Mon, Nov 09, 2015 at 04:31:58PM +0000, Franz wrote:
> Perhaps a way out of this impasse is to put bounties on Xen security tasks
> identified by Joanna and properly advertise these bounties to Xen users.
> [snip]
This is fundamentaly wrong idea. Security isn't something you can
"apply" or put bounty on. It's a state of the mind, especcialy
developer's. Joanna wrote in her mail:
> > > I can't help but have a feeling that some of the Xen developers seem to be
> > > overconfident in their belief they can fully understand all the possible
> > > execution paths in their code. Well, the XSAs quoted above are an indisputable
> > > prove that this is not quite always the case. Realizing that, each developer by
> > > themselves, might be a great step towards a more secure hypervisor...
And that's why we can't just "submit a patch" to "contribute security".
There is something wrong with Xen as a whole project, but that something
isn't the code. There is a mindset to be fixed.
--
regards, _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>
[-- Attachment #1.2: Type: application/pgp-signature, Size: 819 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2015-11-09 18:15 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-06 17:22 Critique of the Xen Security Process Joanna Rutkowska
2015-11-06 19:41 ` James Bulpin
2015-11-06 22:42 ` Low Eel
2015-11-07 16:51 ` w.peter.howell
2015-11-09 12:11 ` Jan Beulich
2015-11-09 16:31 ` [qubes-devel] " Franz
2015-11-09 18:15 ` Wojtek Porczyk [this message]
2015-11-10 13:09 ` Lars Kurth
2015-11-10 14:10 ` Franz
2015-11-10 10:52 ` Lars Kurth
2015-11-11 11:36 ` Chris Laprise
2015-11-11 15:24 ` Lars Kurth
2015-11-09 21:48 ` Doug Goldstein
2015-11-11 9:43 ` Ian Campbell
2015-11-11 9:59 ` Lars Kurth
2015-11-11 17:21 ` Lars Kurth
2015-11-11 12:33 ` Raisin, was " Stefano Stabellini
2015-11-11 16:24 ` Doug Goldstein
2015-11-11 17:40 ` George Dunlap
2015-11-11 17:49 ` Stefano Stabellini
2015-11-11 12:34 ` Wei Liu
2015-11-09 22:00 ` chris
2015-11-10 2:46 ` [qubes-devel] " Radoslaw Szkodzinski
2015-11-11 20:14 ` chris
2015-11-11 12:59 ` Stefano Stabellini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151109181552.GA1383@invisiblethingslab.com \
--to=woju@invisiblethingslab.com \
--cc=169101@gmail.com \
--cc=JBeulich@suse.com \
--cc=joanna@invisiblethingslab.com \
--cc=qubes-devel@googlegroups.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.