Xen project Mailing List

Re: [Publicity] [blog post draft] Security vs features [and 1 more messages]

To: Tim Mackey <Timothy.Mackey@xxxxxxxxxx>, Lars Kurth <lars.kurth.xen@xxxxxxxxx>

From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

Date: Fri, 30 Oct 2015 14:34:31 +0000

Delivery-date: Fri, 30 Oct 2015 14:35:08 +0000

List-id: "List for Xen Publicity, PR and events" <publicity.lists.xenproject.org>

Lars Kurth writes ("Re: [Publicity] [blog post draft] Security vs features"): > Generally this looks good > > The reason for this is quite simple: > > we all put up with it. We, collectively, choose convenience and > > functionality: both when we decide which software to run for > > ourselves, and when we decide what contributions to make to the > > projects we care about. > > I am wondering, whether it is worth pointing out that there is constant > pressure by users, customers and the press to focus on new features which > exacerbates the situation. This is in particular true for high-profile open > source projects. I think that's what I am saying. But I can strengthen it. For almost all software there is much stronger pressure (from all sides) to add features, than to improve security. > > That's not to say that the many of us involved with the Xen Project > > aren't working to improve matters. > > > > The first part of improving anything is to know what the real > > situation is. Unlike almost every other hypervisor, > > maybe make this stronger: other hypervisor or open source project Unlike almost every other hypervisor and even most Free Software projects, Xen ... > > Xen > > <a href="http://xenbits.xen.org/xsa/";>properly discloses</a>, via an > > advisory, every vulnerability discovered in supported configurations. > > It may be worthwhile highlighting that we also handle many security issues of > upstreams such as Linux and QEMU which are counted against our stats, while > other projects don't do this Interesting point. We also often disclose, via our XSA process, Xen-related security issues in other projects such as Linux and Qemu. > I think this is very good Tim Mackey writes ("RE: [Publicity] [blog post draft] Security vs features"): > I like this, Ian, but the title didn't quite match for me. Since > the bulk of the blog is security focused, perhaps changing the title > to something like "Security as a feature" might be a closer match. > That would also map to the welcome of security related contributions > in the conclusion and the point about how we each choose our way to > contribute. Hrm. I think `security as a feature' is rather too `spin'-like for me. OTOH I'm not very attached to the current title. Any other suggestions ? Thanks, Ian. _______________________________________________ Publicity mailing list Publicity@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.