Xen project Mailing List

Re: [Xen-devel] Security support scope (apropos of Xen and CNA)

To: "Ian Jackson" <ian.jackson@xxxxxxxxxxxxx>

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Thu, 04 May 2017 07:12:56 -0600

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, security-team-members@xxxxxxxxxxxxxx

Delivery-date: Thu, 04 May 2017 13:13:21 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 04.05.17 at 14:53, <ian.jackson@xxxxxxxxxxxxx> wrote: > To become a CNA (CVE Numbering Authority), which we would like to do, > we need to provide MITRE's CNA programme with a definition of the > scope of our CNA. That should be the scope of our general security > support, clearly. > > At the moment we don't seem to have this written down in a single > clear document. I am aware of the following places which can contain > information about security support (normally, in the form of > statements saying that certain things are not supported): > > * https://wiki.xenproject.org/wiki/Xen_Project_Release_Features has a > table of versions with security support, and information about some > features. > > * xen.git:docs/misc/qemu-xen-security, limits security support to > some configurations. > > * xen.git:MAINTAINERS might in principle have a status not implying > security support. > > * Docs for an individual feature (eg in xl docs) might say that the > feature is not advised, or not supported, or something. > > * Previous XSA advisories might withdraw support. > > This diversity of information sources is rather unsatisfactory. > > I think we need to at least reduce the number of different information > sources. Also we need an overview document which points to them all. > > Where should this overview document be ? Which of the above sources > should be coalesced into which others ? Generally the (or a new) wiki page would seem the best place to me, if only there weren't some pretty fine grained restrictions, like the use of certain command line options rendering the whole thing unsupported. For that specific example, it would seem to me that only the command line doc itself would be a suitable place (and we'd basically have to go through and add a warning for every such option). Bottom line - I'm not sure a single place will do, but of course one central place could/should xref all other places with additional information. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.