From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Maydell Subject: Re: [PATCH 0/11] Xen PCI Passthrough security fixes Date: Tue, 2 Jun 2015 16:51:21 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Stefano Stabellini Cc: "xen-devel@lists.xensource.com Devel" , QEMU Developers , JBeulich@suse.com List-Id: xen-devel@lists.xenproject.org On 2 June 2015 at 16:32, Stefano Stabellini wrote: > On Tue, 2 Jun 2015, Stefano Stabellini wrote: >> Hi all, >> >> the following is a collection of QEMU security fixes for PCI Passthrough >> on Xen. Non-Xen usages of QEMU are unaffected. >> >> Although the CVEs have already been made public, given the large amount >> of changes, I decided not to send a pull request without giving a chance >> to the QEMU community to comment on the patches first. > > Peter convinced me to send out a pull request immediately. If anybody > has any comments on the patches, we can still fix them up later or even > revert them if that becomes necessary. For the record, the rationale is: * fixes for CVEs will have been reviewed during the nondisclosure period * getting security fixes into master in a timely fashion is important * having the patches in upstream master be different from the ones advertised with the CVE can cause confusion about which are "correct" * if there are any problems with the CVE fixes (stylistic or otherwise) we can correct them with followup patches Our workflow/process for handling security issues is not set in stone (indeed it's evolving a bit at the moment), so comments/suggestions welcome. thanks -- PMM