[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] XCP: Insecure Distro ?



On Tue, May 10, 2011 at 4:29 AM, Adrien Guillon <aj.guillon@xxxxxxxxx> wrote:
> Security updates are common, and generally do not make major interface
> changes by design.  I have no desire to update anything aside from
> receiving fixes for buffer overflows, or other exploits that are found
> in the wild.  The system in question should be in production for
> several years, and security patches are inevitable during that period
> of time.

If you're familiar with Centos (which is what XCP is based on), you'll
notice that each point release (e.g. 5.5 -> 5.6) is usually a combo of
bug fix and new features. While the new features/version had some
level of testing (mainly by RedHat), there are always the possibilty
that it will introduce some level of incompatibilty with older
installed version (this happens for example when RedHat rebased their
Xen package from 3.0 to 3.1.2)

So if you "have no desire to update anything aside from receiving
fixes for buffer overflows, or other exploits that are found in the
wild", it's actually harder to implement than it sounds.

I'm not saying you're wrong. I'm simply saying implementing it is not
an easy task.

>
> It likely took some effort to eliminate /etc/shadow in the first
> place, as this has been standard practice for a very long time.  I
> will not debate the merits of storing hashes in /etc/passwd or
> /etc/shadow because that debate ended a very long time ago.

Christopher's mail has a link explaining why password is currently
stored in /etc/passwd

>  Quite
> simply this distro has a major security flaw.

I wouldn't call XCP a "distro". It's more like an appliance. IIRC the
supported "update" process is NOT by using yum (or some common distro
mechanism), but by a rolling upgrade using the next XCP version.

That being said, xen-users is mostly where users hang around. If you
have interest in contributing to improve XCP, you'd probably be better
posting to xen-devel.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.