RE: [Xen-devel] xen-stable vs. xen-testing

To:	"Derek Glidden" <dglidden@xxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Subject:	RE: [Xen-devel] xen-stable vs. xen-testing
From:	"Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date:	Mon, 10 Jan 2005 22:45:16 -0000
Delivery-date:	Tue, 11 Jan 2005 01:24:51 +0000
Envelope-to:	xen+James.Bulpin@xxxxxxxxxxxx
List-archive:	<http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help:	<mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id:	List for Xen developers <xen-devel.lists.sourceforge.net>
List-post:	<mailto:xen-devel@lists.sourceforge.net>
List-subscribe:	<https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe:	<https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender:	xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
Thread-index:	AcT3ZIm/nXafwK/zQL29jveIqycIUwAAGWcw
Thread-topic:	[Xen-devel] xen-stable vs. xen-testing

> So given the recent announcement of the linux 
> local-privilege-escalation 
> I want to upgrade my Xen box/VM to the latest kernel.  I see that the 
> xen-2.0 tree still has 2.6.9 and xen-testing has 2.6.10 
> patches.  So I 
> have a few questions:
> 
> a) how stable is "testing" really?

Usually pretty good. You see the odd followup patch or revert before a
release, but I don't think there have been too many shockers. (Hmm,
though I just thought of one from a couple of weeks back :-)
 
> b) can I just build new kernels from the -testing tree or 
> should I build 
> the Xen VMM as well?

You should just be able to build new kernels, but I'd recommend building
both otherwise you'll have a configuration that has never been tested
together.

> c) do any of the Xen folks track BUGTRAQ or anything to keep up on 
> potential kernel-level bugs that should be addressed 
> relatively quickly? 

Typically we just release a new kernel as soon as Linus/Andrew does.
We're usually have the new version out within a couple of days.

>   Granted, I don't think I've seen a legitimate linux kernel 
> exploit in 
> like four or five years now, but should another one pop up and I do 
> track security lists would it be worth my effort to relay the info to 
> the xen-list?

Feel free to, but we generally only prefer to release arch Xen patches
against official versions of the kernel. We could add a line to
buildconfigs/mk.linux-2.6 which applies a standard patch, though.

Since the vast majority of kernel exploits turn out to be bugs in arch
independent common code, you'll probably find the standard patch applies
just fine.
 
> d) I realize that Xen is really still R&D for the most part, 
> but how do 
> the Xen team feel about security issues like this?

We certainly care about security, but more so in our own code.

Best,
Ian


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

WARNING - OLD ARCHIVES

xen-devel

RE: [Xen-devel] xen-stable vs. xen-testing