From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wojtek Porczyk Subject: Re: [qubes-devel] Re: Critique of the Xen Security Process Date: Mon, 9 Nov 2015 19:15:52 +0100 Message-ID: <20151109181552.GA1383@invisiblethingslab.com> References: <20151106172228.GA2335@work-mutt> <56409B7702000078000B3018@prv-mh.provo.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6410681788742855737==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Franz <169101@gmail.com> Cc: xen-devel@lists.xen.org, Joanna Rutkowska , Jan Beulich , "qubes-devel@googlegroups.com" List-Id: xen-devel@lists.xenproject.org --===============6410681788742855737== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 09, 2015 at 04:31:58PM +0000, Franz wrote: > Perhaps a way out of this impasse is to put bounties on Xen security tasks > identified by Joanna and properly advertise these bounties to Xen users. > [snip] This is fundamentaly wrong idea. Security isn't something you can "apply" or put bounty on. It's a state of the mind, especcialy developer's. Joanna wrote in her mail: > > > I can't help but have a feeling that some of the Xen developers seem = to be > > > overconfident in their belief they can fully understand all the possi= ble > > > execution paths in their code. Well, the XSAs quoted above are an ind= isputable > > > prove that this is not quite always the case. Realizing that, each de= veloper by > > > themselves, might be a great step towards a more secure hypervisor... And that's why we can't just "submit a patch" to "contribute security". There is something wrong with Xen as a whole project, but that something isn't the code. There is a mindset to be fixed. --=20 regards, _.-._ Wojtek Porczyk .-^' '^-. Invisible Things Lab |'-.-^-.-'| | | | | I do not fear computers, | '-.-' | I fear lack of them. '-._ : ,-' -- Isaac Asimov `^-^-_> --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWQOLYAAoJEL9r2TIQOiNRlF4QAIRi7aIl+AvgZdb/Oo4MbdX3 CnI6oBtA8cNCzVePBMcFQEzPQp66wDxf2sjkpb9/Go0QGc025dUcis0Kl2eugfCG lAyz41dUO62WqTECT+rAWfE7ct/FDyJmk6Wi8RUelXB77kx6SKsm5W6BCxQaiar7 2SuKCT4TX16fpGeR+EecvO/Lnb3/EUeRFMVBFNn/D+zxNzyZd4Bn492frKwOP7i9 o1RnO/KDv5c9fBgpx67Ca7YPQ6mbCZl/obm5w1NyQCMzMzYuGSevBaon32xfXUBr VZ3KBMciojHImcBWy8hMU/PrQTIizCa+rn534tQH9E38Jbdr6XXn6FMWHA2f2uUK cI06KKxtS40I3lfZ/+LA8GCemuX0qNVxirK30TFV5IYbRLdRYMZfaykcpsuFKSaj eWUYU8mkwznwpmom4zVCY+vukMUGeL8mTo6ORMNzyW9XT6tmtdIK4BjlwkbX1puv 5YrDD0UNUkUsV6Q7Afgry9t+3A5lB7PLPdE9CkxGi1hjVptgStfy/ZZb/pMuw6sR bAv5Rp09ZVlG+9sDgVzjfFcOUQP3UVoTr76QEjSGuj7x/nNStKUXIdtSe8HaBUoi pFwSuE1Kfg7L0l3pgXLb0wfUq9JuWi0j+Wg+4wGTIkF+HSxppP6J8jE51+YrAZJ8 hEnIwy8PJ3Cx2AZvlilD =mzBR -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- --===============6410681788742855737== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============6410681788742855737==--