RE: LXR-type source code browsing

RE: LXR-type source code browsing

[Ian Pratt]

> What is the timeline for deploying the new server?  Access to the LXR 
> repository is something I would find immediately useful.

I hope we can get something fairly soon, I'll let you know.

> P.S. Is there a problem with the mail at sourceforge?  My posts to 
> xen-devel made it out immediately in December, but today the 
> lag is 45 
> minutes or more.

Sourceforge lists are always pretty eratic -- as a list admin they're a
real hassle too.
At least its been a couple of months since the list last broke
completely.

I sometimes think about moving the list onto our own majordomo setup,
but it would be quite an upheaval for subscribers, particularly those
that have mail filters set up. What do people think? Happy with
sourceforge, or time to move?

Ian


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

Re: LXR-type source code browsing

[Anthony Liguori]

Ian Pratt wrote:

>I sometimes think about moving the list onto our own majordomo setup,
>but it would be quite an upheaval for subscribers, particularly those
>that have mail filters set up. What do people think? Happy with
>sourceforge, or time to move?
>
>  
>
I've noticed pretty bad lag on sourceforge for the past couple weeks.  I 
get the direct CC'd response long before the mailing list message.

It might break some peoples rules, but it also might be a good 
opportunity to introduce a xen-users list too.  Might make searching for 
old answers a bit easier.

Regards,

>Ian
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>_______________________________________________
>Xen-devel mailing list
>Xen-devel@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/xen-devel
>
>  
>


-- 
Anthony Liguori
anthony@codemonkey.ws



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

RE: LXR-type source code browsing

[Ian Pratt]

> Would it perhaps be even better to run snort in an 
> unprivileged domain, using
> iptables to feed traffic to that domain?

Sure, this could be done, but it would be most efficient to run it in
whichever domain has the bridge. The tools currently don't make it easy
to setup drivers in other domains. 

> Incidentally, why isn't iptables support built into the 
> default xen/linux kernels?
> iptables seems a natural fit with a project that can do so 
> much for system security.

iptables is built as a module in the default 2.6 xen0 config.

Ian


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

RE: LXR-type source code browsing

[Ian Pratt]

> Has anyone (or is anyone) setting up a LXR-style code browser (like 
> http://lxr.linpro.no/source) for the different Xen trees?

Like you, we have an internal LXR server.

I've never been very convinced about the security of LXR. Do you reckon
we'd get away with running one on the public internet? Do you know
whether lxr.linpro.no have had problems?

We're planning on setting up the wiki and bugzilla each in their own VM
with snort running in domain 0 to scrutinize the traffic. I guess we
could add lxr to the mix and see what happens...

Ian 

> I sat down thinking it would be a 5-minute operation and 
> after several 
> hours I've finally gotten it running (albeit incorrectly) on 
> my desktop 
> development machine.  Before I continue to bang my head on 
> getting the 
> cross-references correct and automatically downloading the 
> nightly tarball 
> update, I realized I should ask if anyone else has already 
> gone through 
> the process.
> 
> Unfortunately, I can't make my desktop machine visible outside IBM -- 
> perhaps there's a machine somewhere that could host this?  
> Maybe the new 
> coming-soon official Xen wiki/etc server?  I can contribute 
> my accumulated 
> "hours of expertise" to getting this set up if a platform 
> comes together.
> 
> John
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xen-devel
> 


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

RE: LXR-type source code browsing

[John L Griffin]

> I've never been very convinced about the security of LXR. Do you reckon
> we'd get away with running one on the public internet? Do you know
> whether lxr.linpro.no have had problems?

Offhand I'm not aware of any, though they have occasionally pushed updates 
that remove vulnerabilities (i.e., version 0.3.1, Mar 2003).  The 
lxr.linpro.no site replaced what used to be lxr.linux.no site [for what 
seems to be bandwidth-related reasons], and they have an LXR repository 
hosted at mozilla.org -- both are popular sites, so my guess is security 
problems would crop up more often if LXR was indeed prone to them.

As you point out, Xen provides an ideal environment for opening access to 
a sandboxed LXR webserver.  :-)

What is the timeline for deploying the new server?  Access to the LXR 
repository is something I would find immediately useful.

JLG

P.S. Is there a problem with the mail at sourceforge?  My posts to 
xen-devel made it out immediately in December, but today the lag is 45 
minutes or more.



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

Re: LXR-type source code browsing

[Shane Geiger]

> Like you, we have an internal LXR server.
> 
> I've never been very convinced about the security of LXR. Do you reckon
> we'd get away with running one on the public internet? Do you know
> whether lxr.linpro.no have had problems?
> 
> We're planning on setting up the wiki and bugzilla each in their own VM
> with snort running in domain 0 to scrutinize the traffic. I guess we
> could add lxr to the mix and see what happens...
> 
> Ian 



Your suggestion to use snort in dom0 sounds like a great way to keep track of what
is going on in the other domains.  It sparks my interest in taking part in the
discussion, as I have been thinking through the best ways to use Xen to create
a higher level of trust in my systems.

Because security of dom0 seems of the upmost importance, I have been
inclined to do less in dom0...rather than more.  I have been thinking of making
only ssh available from the outside, even protecting the ssh port with port
knocking.  I would use dom0 for compiling new xen/linux kernels, for managing
the other domains (as with the xm command), and for running iptables, which
would run in dom0 to protect all the other domains.  I would also do filesystem
integrity checking within dom0 and sending syslog to a remote server.  Outside
of those duties, I don't think dom0 needs to do much for me.

Given that approach to using dom0 in a more tightly controlled way, the only
other vectors of attack upon dom0, as I see them, would be these scenarios:

1) network attack via iptables or on the tcp/ip stack itself (unlikely)

2) virtual machine attack on a vulnerability that allows access to dom0 (unlikely)

3) tcp session hijacking of an ssh session

So, by using dom0 as a special-purpose domain, risk to compromising the entirely
system would be minimized.

Would it perhaps be even better to run snort in an unprivileged domain, using
iptables to feed traffic to that domain?

Incidentally, why isn't iptables support built into the default xen/linux kernels?
iptables seems a natural fit with a project that can do so much for system security.

Thanks to everyone working on this wonderful project.

Shane




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

LXR-type source code browsing

[John L Griffin]

Has anyone (or is anyone) setting up a LXR-style code browser (like 
http://lxr.linpro.no/source) for the different Xen trees?

I sat down thinking it would be a 5-minute operation and after several 
hours I've finally gotten it running (albeit incorrectly) on my desktop 
development machine.  Before I continue to bang my head on getting the 
cross-references correct and automatically downloading the nightly tarball 
update, I realized I should ask if anyone else has already gone through 
the process.

Unfortunately, I can't make my desktop machine visible outside IBM -- 
perhaps there's a machine somewhere that could host this?  Maybe the new 
coming-soon official Xen wiki/etc server?  I can contribute my accumulated 
"hours of expertise" to getting this set up if a platform comes together.

John



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

Re: LXR-type source code browsing

[Gregor Milos]

It would be nice to have one place to create LXR repository. It seems we are 
creating more and more copies of the same thing (there is one in the Computer 
Laboratory, one in Intel Research[maintained by me] and now yours).
Any volunteer to host this (unfortunately it takes quite a lot of hard disk 
space - 6 crossreferenced kernels and sourcecode amounts to total of about 
2Gb)?

Cheers
Gregor

> Has anyone (or is anyone) setting up a LXR-style code browser (like
> http://lxr.linpro.no/source) for the different Xen trees?
>
> I sat down thinking it would be a 5-minute operation and after several
> hours I've finally gotten it running (albeit incorrectly) on my desktop
> development machine.  Before I continue to bang my head on getting the
> cross-references correct and automatically downloading the nightly tarball
> update, I realized I should ask if anyone else has already gone through
> the process.
>
> Unfortunately, I can't make my desktop machine visible outside IBM --
> perhaps there's a machine somewhere that could host this?  Maybe the new
> coming-soon official Xen wiki/etc server?  I can contribute my accumulated
> "hours of expertise" to getting this set up if a platform comes together.
>
> John
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xen-devel

-- 
Quidquid latine dictum sit, altum viditur --- Anon


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt

Re: LXR-type source code browsing

[Per Buer]

John L Griffin wrote:

>Has anyone (or is anyone) setting up a LXR-style code browser (like 
>http://lxr.linpro.no/source) for the different Xen trees?
>  
>
http://lxr2.linpro.no/source/

-- 
Per Andreas Buer




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt