[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Publicity] [blog post draft] Security vs features
Generally this looks good > On 30 Oct 2015, at 11:56, Ian Jackson <ian.jackson@xxxxxxxxxxxxx> wrote: > > We've just released a rather exciting batch of Xen security > advisories. There's <a > href="https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt">grumbling</a> > in some quarters that we're not taking security seriously. > > I have a longstanding interest in computer security. Nowadays I am a > member of the Xen Project Security Team (the team behind > security@xenproject, which drafts the advisories and coordinates the > response). But this is going to be a personal opinion. > > Of course Invisible Things are completely right that security isn't > taken seriously enough. The general state of computer security in > almost all systems is terrible. I can see Zibby moaning about this (-: > The reason for this is quite simple: > we all put up with it. We, collectively, choose convenience and > functionality: both when we decide which software to run for > ourselves, and when we decide what contributions to make to the > projects we care about. I am wondering, whether it is worth pointing out that there is constant pressure by users, customers and the press to focus on new features which exacerbates the situation. This is in particular true for high-profile open source projects. > > That's not to say that the many of us involved with the Xen Project > aren't working to improve matters. > > The first part of improving anything is to know what the real > situation is. Unlike almost every other hypervisor, maybe make this stronger: other hypervisor or open source project > Xen > <a href="http://xenbits.xen.org/xsa/">properly discloses</a>, via an > advisory, every vulnerability discovered in supported configurations. It may be worthwhile highlighting that we also handle many security issues of upstreams such as Linux and QEMU which are counted against our stats, while other projects don't do this > Security bugs are bugs, and over the last few years Xen's code review > process has become a lot more rigorous. As a result, the quality of > code being newly introduced into Xen has improved a lot. > > For researchers developing new analysis techniques, Xen is a prime > target. A significant proportion of the reports to > security@xenproject are the result of applying new scanning techniques > to our codebase. So our existing code is being audited, with a > focus on the areas and techniques likely to discover the most > troublesome bugs. > > The difference in approach to disclosure makes it difficult to compare the > security bug density of competing projects. When I worked for a > security hardware vendor I was constantly under pressure to explain > why we needed to do a formal advisory for our bugs. That is what > security-conscious users expect, but our competitors' salesfolk would > point to our advisories and say that our products were full of bugs. > Their product had no publicly disclosed security bugs, so they would > tell naive customers that their product had no bugs. > > I do think Xen probably has > <a href="http://xenbits.xen.org/people/iwj/2015/fosdem-security/">fewer > critical security bugs</a> > than other hypervisors. It's the best available platform for building > high security systems. But that doesn't mean Xen is good enough. > > Ultimately, of course, a Free Software project like Xen is what the > whole community makes it. In the project as a whole we get a lot more > submissions of new functionality than we get submissions aimed at > improving the security. > > So personally I very much welcome the contributions made by > security-focused contributors - even if that includes criticism. I think this is very good Lars _______________________________________________ Publicity mailing list Publicity@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |