Re: [qubes-devel] Re: Critique of the Xen Security Process

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Laprise <tasket@openmailbox.org>
To: Lars Kurth <lars.kurth.xen@gmail.com>, Franz <169101@gmail.com>
Cc: "qubes-devel@googlegroups.com" <qubes-devel@googlegroups.com>,
	Joanna Rutkowska <joanna@invisiblethingslab.com>,
	Jan Beulich <JBeulich@suse.com>,
	xen-devel@lists.xen.org
Subject: Re: [qubes-devel] Re: Critique of the Xen Security Process
Date: Wed, 11 Nov 2015 06:36:49 -0500	[thread overview]
Message-ID: <56432851.8070904@openmailbox.org> (raw)
In-Reply-To: <B8F26DD4-19FA-43DF-8897-077052934585@gmail.com>

Hello...

On 11/10/2015 05:52 AM, Lars Kurth wrote:
> Hi everyone,
>
> firstly I wanted to thank everyone for raising this issue. I wanted to 
> point out that we are not talking about a security process here, but 
> the development process. Or more accurately the cost of writing more 
> secure code and the relative importance of security compared to 
> features. And of course the recent increase of relative importance of 
> "built-in security as a feature" since Snowden.
>
>> On 9 Nov 2015, at 16:31, Franz <169101@gmail.com 
>> <mailto:169101@gmail.com>> wrote:
>>
>>     (Please note that all of the above are my personal views, i.e. I'm
>>     explicitly not speaking on behalf of the project.)
>>
>>
>> It seems positions are antithetic with no possible compromise in 
>> view. Sadly this is a general problem of FOSS software: developers  
>> tend to do what they like and not what users request. And who can 
>> blame developers for that? After all they are working as volunteers 
>> so they deserve to do what they like. No possible compromise.
>
> I don't think this is a fair statement: more than 95% of developers 
> working on Xen are employees of large organisations. And they follow 
> the priorities that their employers set. The same is true in Linux and 
> for comparable projects and of course for proprietary software 
> developers. Blaming open source developers, is simply wrong and not 
> constructive.

Nevertheless, Xen is a creature of interfaces that purport to uphold 
contracts. These (software engineering, not legal) contracts are 
explicitly security-themed... the software is promising to isolate 
processes from each other and protect against privilege escalation. The 
Xen project itself asserts that it is focused on the security benefits 
of the hypervisor (to the point of invoking "microkernel" in Xen's 
description), not mere administrative convenience.

What seems to be missing from the defense of Xen project so far in this 
thread is a level of acknowledgement of this very important aspect of 
twenty-first century software development: Can you honor what your 
interfaces communicate to your audience? Its true that some FOSS 
projects do not care for modern methodologies (which are greatly about 
concept and mindset), but should Xen be that way?

Should Xen project also be a blanket absolution of "blame"? And is the 
corporate status of some of its contributors a proper justification for 
being blame-less (perhaps we can think of them like members of 'The 
Borg')? I think not.

This is the trap that FOSS projects most commonly fall into: 'We are 
free to publish because of liberty, but you are not free to criticize.' 
Its odd when you think about it. This is the squandering of user 
motivation and valuable feedback.

>
> In fact, throughout 2014 and 2015, the project has received complaints 
> from several large vendors that the Xen Project today is too rigorous 
> with code reviews compared to Linux, KVM...

Famous last words before a Heartbleed-scale media circus ensues?

>
> I can certainly raise this suggestion with the Advisory Board and see 
> whether we can make some funds available. However, the board has 
> already invested nearly 50% of its entire budget in Test 
> Infrastructure and is planning to continue to spend in this area at 
> roughly this proportion of the projects budget. However, we do not 
> have huge amounts of funds: thus, what we could do with bounties would 
> necessarily be limited.
>
> I personally also looked at other ways to change the cost-benefit 
> equation. One example is the Feature Maturity Lifecycle (see 
> http://lists.xen.org/archives/html/xen-devel/2015-11/msg00609.html & 
> http://lists.xenproject.org/archives/html/xen-devel/2015-06/msg01992.html) 
> which aims to use better classification to change behaviour of 
> contributors.
>
> I do hope, that this discussion can remain constructive. De-motivating 
> the good work many of our developers (and in particular code 
> reviewers) are doing, is really not helpful in this context.
>

It does seem to me that the suggestion of a Long-Term Support (LTS) 
release is a constructive one, among the other suggestions that Joanna 
made. The FML you cite is interesting, but seems to be aimed squarely at 
developers. You are bound to get better results if the expectations of 
users change along with developers, so LTS releases may be the better idea.

> Best Regards
> Lars
>
>

next prev parent reply	other threads:[~2015-11-11 11:36 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-06 17:22 Critique of the Xen Security Process Joanna Rutkowska
2015-11-06 19:41 ` James Bulpin
2015-11-06 22:42 ` Low Eel
2015-11-07 16:51 ` w.peter.howell
2015-11-09 12:11 ` Jan Beulich
2015-11-09 16:31   ` [qubes-devel] " Franz
2015-11-09 18:15     ` Wojtek Porczyk
2015-11-10 13:09       ` Lars Kurth
2015-11-10 14:10         ` Franz
2015-11-10 10:52     ` Lars Kurth
2015-11-11 11:36       ` Chris Laprise [this message]
2015-11-11 15:24         ` Lars Kurth
2015-11-09 21:48 ` Doug Goldstein
2015-11-11  9:43   ` Ian Campbell
2015-11-11  9:59     ` Lars Kurth
2015-11-11 17:21       ` Lars Kurth
2015-11-11 12:33     ` Raisin, was " Stefano Stabellini
2015-11-11 16:24       ` Doug Goldstein
2015-11-11 17:40         ` George Dunlap
2015-11-11 17:49           ` Stefano Stabellini
2015-11-11 12:34   ` Wei Liu
2015-11-09 22:00 ` chris
2015-11-10  2:46   ` [qubes-devel] " Radoslaw Szkodzinski
2015-11-11 20:14     ` chris
2015-11-11 12:59 ` Stefano Stabellini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56432851.8070904@openmailbox.org \
    --to=tasket@openmailbox.org \
    --cc=169101@gmail.com \
    --cc=JBeulich@suse.com \
    --cc=joanna@invisiblethingslab.com \
    --cc=lars.kurth.xen@gmail.com \
    --cc=qubes-devel@googlegroups.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.