Xen project Mailing List

[Xen-devel] Xen Project Security Whitepaper v1 is ready for community review

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Lars Kurth <lars.kurth@xxxxxxxxxx>

Date: Fri, 18 May 2018 10:13:55 +0000

Accept-language: en-GB, en-US

Cc: Juergen Gross <jgross@xxxxxxxx>, "committers@xxxxxxxxxxxxxx" <committers@xxxxxxxxxxxxxx>, "security@xxxxxxxxxxxxxx" <security@xxxxxxxxxxxxxx>

Delivery-date: Fri, 18 May 2018 10:28:15 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHT7pDtSqPOenTcJkKuX04zid1Rmw==

Thread-topic: Xen Project Security Whitepaper v1 is ready for community review

Dear Community Members, just under 3 months ago, we started a community consultation titled "Xen Security Process Consultation: is there a case to change anything?" (see https://lists.xenproject.org/archives/html/xen-announce/2018-02/msg00000.html). As promised, I would collate the input - together with further analysis trying to genuinely consider the implications of what respondents to the consultation have been suggesting - in a white paper. The white paper is attached and contains 1) Baseline: an analysis of our XSAs and how we dealt with XSAs in the recent past 2) Results from the Community Consultation 2.1) Feedback received from a community consultation 2.2) Analysis 3) Recommendations and policy changes - some is quite extensive to try and tries to evaluate the impact of policy changes, which would result if we implemented solutions to issues highlighted by our users. The next step is for community members to provide public feedback. If it turns out there is a case for changes/improvements, I will condense the output of this discussion into a concrete change proposal (or a series thereof) to be voted on in the usual way. This may require several iterations. Note that the document contains workflow and tools related feedback, which I did not anticipate. Some issues highlighted should be easy to fix, others will require additional discussion on xen-devel@, such as * Inconsistent Meta Data and XSA prerequisites * Git baseline of patches * Release cycle related (issues) The document tries to label all discussion items, such that it is easy to comment. I normally attach a converted markdown version: however, this is unwieldly in this case, because there is a large number of tables and images. Thus, I have created a google doc copy which allows anyone with the following link https://docs.google.com/document/d/1FbGV4ZZB9OU8SI4b9ntnM-l6NaQLND8Yfd9u11V5Q5A/edit?usp=sharing to comment on sections of the document. If you do, please make sure you identify yourself in the comment and/or also highlight feedback in the e-mail thread discussion that will follow this document. Please also let us know areas of the whitepaper you agree with, as this will make it overall easier to identify how much consensus there would be to address specific issues and proposals in the document. Otherwise the discussion will primarily focus on points of contention, while other areas where in fact there may be consensus, will be missed. If there is little or no feedback (either positive or negative), we have to assume that people are happy with the status quo and that there is only a weak case for changes. Best Regards Lars

Attachment: Xen Project Security Whitepaper v1.0.pdf
Description: Xen Project Security Whitepaper v1.0.pdf

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.