[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security support for debug=y builds (Was Re: Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only))



On Mon, 2013-01-07 at 11:36 +0000, Ian Campbell wrote:
> On Mon, 2013-01-07 at 11:21 +0000, Andrew Cooper wrote:
> > On 07/01/13 11:08, Keir Fraser wrote:
> > > On 07/01/2013 10:21, "Ian Campbell"<ijc@xxxxxxx>  wrote:
> > >>        * debug=y bugs are Just Bugs and not security issues. i.e. they
> > >>          are discussed and fixed publicly on xen-devel and the fix is
> > >>          checked in in the usual way. There is no embargo or specific
> > >>          announcement. changelog may or may not refer to the security
> > >>          implications if debug=y is enabled.
> > > This is my preference. I consider debug builds to be developer builds, and
> > > wouldn't expect to see them used in production environments. We set 
> > > debug=n
> > > by default in our stable branches for that reason.
> > >
> > >   -- Keir
> > 
> > I second this opinion.  Production environments should not be running 
> > development builds.
> 
> I tried to keep my initial mail unbiased, but this is my opinion too.

Looks like we have a consensus on this then.

Lars, could you add some words to the doc?

e.g. under "Scope of this process".

This process primarily covers the Xen Hypervisor Project. Vulnerabilties
reported against other Xen.org projects will be handled on a best effort
basis by the relevant Project Lead together with the security team.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.