Re: Unsupported packages for Wheezy LTS
On 2016-05-13 06:30:35, Moritz Muehlenhoff wrote:
> On Fri, May 13, 2016 at 12:21:13PM +0200, Raphael Hertzog wrote:
>> On Fri, 13 May 2016, Moritz Muehlenhoff wrote:
>> > > I'm not convinced that
>> > > supporting the current Wheezy versions of QEMU for two more years is of
>> > > much use (in contrast to the version currently in Jessie) compared to
>> > > the effort of backporting security fixes.
>> >
>> > Ack.
>>
>> I'm not sure that I follow what you say here. You suggest to update qemu
>> in wheezy to the version currently in jessie? Is that correct?
>
> No, I recommend to EOL src:qemu/qemu-kvm in wheezy (the bits relevant to src:xen are
> somewhat isolated and can be backported from the Xen Security announcements)
> Backporting jessie's qemu will end up in a similar situation as the experiments
> with libav.
See, this is what I think will be difficult in itself: some parts of
qemu were more or less completely rewritten between the two
releases. Specifically, the pnet.c driver I worked on to play catchup
with even only 4.1.6 was significantly changed between point releases. I
can't even begin to fathom how much has changed between xen/qemu wheezy
and jessie.
So if we're going to do this painful work, might as well maintain some
qemu interface in wheezy as well. I am not sure I see what additional
cost this would bring: although the attack surface is larger on qemu and
Xen uses only some parts of the Qemu codebase, disclosed vulnerabilities
concern mostly HVM support in Xen, and not the "unused from Xen" qemu
codebase...
But yeah, this seems exactly stuff that our sponsored Xen support team
should look into. ;)
> Anyone running a virtualisation server based on KVM/qemu is much better off
> with upgrading to jessie.
That is a tautology: anyone is better off upgrading to jessie if they
can afford it. :)
A.
--
We have no friends but the mountains.
- Kurdish saying
Reply to: