Xen project Mailing List

Re: [Publicity] [blog post draft] Security vs features

To: Ian Jackson <Ian.Jackson@xxxxxxxxxx>, "publicity@xxxxxxxxxxxxxxxxxxxx" <publicity@xxxxxxxxxxxxxxxxxxxx>

From: Tim Mackey <Timothy.Mackey@xxxxxxxxxx>

Date: Fri, 30 Oct 2015 14:25:07 +0000

Accept-language: en-US

Delivery-date: Fri, 30 Oct 2015 14:25:16 +0000

List-id: "List for Xen Publicity, PR and events" <publicity.lists.xenproject.org>

Thread-index: AQHREwoZphk6O52ys0y2Zb2D/2XxoJ6EFToA

Thread-topic: [Publicity] [blog post draft] Security vs features

I like this, Ian, but the title didn't quite match for me. Since the bulk of the blog is security focused, perhaps changing the title to something like "Security as a feature" might be a closer match. That would also map to the welcome of security related contributions in the conclusion and the point about how we each choose our way to contribute. -tim > -----Original Message----- > From: publicity-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:publicity- > bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Ian Jackson > Sent: Friday, October 30, 2015 7:57 AM > To: publicity@xxxxxxxxxxxxxxxxxxxx > Subject: [Publicity] [blog post draft] Security vs features > > We've just released a rather exciting batch of Xen security advisories. > There's <a href="https://github.com/QubesOS/qubes- > secpack/blob/master/QSBs/qsb-022-2015.txt">grumbling</a> > in some quarters that we're not taking security seriously. > > I have a longstanding interest in computer security. Nowadays I am a > member of the Xen Project Security Team (the team behind > security@xenproject, which drafts the advisories and coordinates the > response). But this is going to be a personal opinion. > > Of course Invisible Things are completely right that security isn't > taken seriously enough. The general state of computer security in > almost all systems is terrible. The reason for this is quite simple: > we all put up with it. We, collectively, choose convenience and > functionality: both when we decide which software to run for ourselves, > and when we decide what contributions to make to the projects we care > about. > > That's not to say that the many of us involved with the Xen Project > aren't working to improve matters. > > The first part of improving anything is to know what the real situation > is. Unlike almost every other hypervisor, Xen <a > href="http://xenbits.xen.org/xsa/";>properly discloses</a>, via an > advisory, every vulnerability discovered in supported configurations. > > Security bugs are bugs, and over the last few years Xen's code review > process has become a lot more rigorous. As a result, the quality of > code being newly introduced into Xen has improved a lot. > > For researchers developing new analysis techniques, Xen is a prime > target. A significant proportion of the reports to security@xenproject > are the result of applying new scanning techniques to our codebase. So > our existing code is being audited, with a focus on the areas and > techniques likely to discover the most troublesome bugs. > > The difference in approach to disclosure makes it difficult to compare > the security bug density of competing projects. When I worked for a > security hardware vendor I was constantly under pressure to explain why > we needed to do a formal advisory for our bugs. That is what security- > conscious users expect, but our competitors' salesfolk would point to > our advisories and say that our products were full of bugs. > Their product had no publicly disclosed security bugs, so they would > tell naive customers that their product had no bugs. > > I do think Xen probably has > <a href="http://xenbits.xen.org/people/iwj/2015/fosdem-security/";>fewer > critical security bugs</a> than other hypervisors. It's the best > available platform for building high security systems. But that > doesn't mean Xen is good enough. > > Ultimately, of course, a Free Software project like Xen is what the > whole community makes it. In the project as a whole we get a lot more > submissions of new functionality than we get submissions aimed at > improving the security. > > So personally I very much welcome the contributions made by security- > focused contributors - even if that includes criticism. > > _______________________________________________ > Publicity mailing list > Publicity@xxxxxxxxxxxxxxxxxxxx > http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity _______________________________________________ Publicity mailing list Publicity@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.