|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen Project Security Whitepaper v1 is ready for community review
On 2018-05-22 20:52, Steven Haigh wrote: On Tuesday, 22 May 2018 8:11:38 PM AEST Jan Beulich wrote:>>> On 18.05.18 at 19:53, <marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote: > Alternative workaround for this would be more frequent point releases by > default (maybe with ability to delay it very few commits are queued). > For example every 3 months. It wouldn't solve all the cases, but I think > will make it easier most of the time. Is every 3 months so much better than every 4 months? Granted we basically never manage to make it exactly 4 months, but on the average I think we're not too far off.I think the big thing is reducing the delta between the staging branch and the release. I can only assume that would reduce the number of issues that occur with patching vs release tarballs - hopefully making the security teams job alittle easier.That being said, if an approach of releasing a new build when we come across broken patch sets for XSAs (like the current 4.9.1 vs XSAs, and prior 4.10.0vs XSAs), then I think this part becomes irrelevant. As another example for this, the patches for XSA263 do not apply to *any* released tarball version of Xen. So far, the patches included with the announcement fail on 4.6, 4.7, 4.9 and 4.10. I can only assume that this means all the XSA patches require commits that are currently in various staging git trees that have not been released in any formal manner via a point release. -- Steven Haigh ? netwiz@xxxxxxxxx ? https://www.crc.id.au ? +61 (3) 9001 6090 ? 0412 935 897 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |