Re: [Publicity] Docker Open Source Container Virtualization on the Rise

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Tue, 2014-02-11 at 19:42 +0000, Anil Madhavapeddy wrote:
> Perhaps the simplest thing is to look for a list of recent CVE
> vulnerabilities and highlight which ones would be blocked by Xen, KVM
> and containers.

One thing worth remembering is that while Xen has a well defined
security response process[0] and is proactive and transparent about
issuing advisories (and CVEs) for anything which we become aware of,
even relatively minor issues, while I don't believe the same can be said
of Linux and by extension containers.

AFAIK security fixes to Linux are made, deliberately and explicitly, in
a very low key way and appear as any other bugfix. They are not
highlighted as security relevant and mention of a CVE or security aspect
is routinely stripped from the commit log comments. CVEs are issued
after the fact, if at all, when someone who is watching the commit
stream spots it, realises the security impact, and requests it for
themselves/their distro/etc or when the original author does so
independently.

So the risk is that Xen CVEs will be over represented in the set of
CVEs. On the other hand maybe the sheer volume of CVEs means that even
if they are under reported there are loads of them anyway...

FWIW AIUI KVM is a bit split brained -- the kernel side is somewhat as
above and the qemu side is more transparent (although I don't think to
the same extent Xen is) and does issue advisories. My gut feeling is
that it is probable that kernel side KVM issues tend to get a CVE, via
the original author or the qemu security team requesting one, more often
than the overall Linux norm.

Not saying it isn't worth running the numbers, but something to keep in
mind during the analysis.

Ian.

[0] http://www.xenproject.org/security-policy.html


_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity