>>> AFAIK Xen in Wheezy is using the version shipped with Xen itself and we Yes, and this is used to support HVM mode guests, where the security of qemu matters. Seemingly (from qemu/VERSION) this is a very old "0.10.2" version of qemu!!! I do wonder to what extent updating _that_ qemu used to build xen-4.1 is practicable or desirable. Upsteam qemu have only just announced a version that no longer supports xen 4.1 and earlier... One way or another that xen qemu needs security-fixes . > AFAIK Xen uses only parts of the QEMU codebase. I'm not convinced > that supporting the current Wheezy versions of QEMU for two more > years is of much use (in contrast to the version currently in > Jessie) compared to the effort of backporting security fixes. Looking at it initially, I suspect many wheezy users of 'qemu' (1.2) would be happily updated to the 'wheezy-backports' qemu 2.1 version (though it needs a symlink from qemu to qemu-system-i386), but we should ask that question more widely... Seemingly the functionality is very similar/compatible, but no doubt subtle differences would break SOMETHING for SOMEBODY e.g. certain configs of pci/chipset updates have changed somewhat.... Those with heavily customized qemu config would need to pay attention to them, etc, but I very much suspect many typical use-cases would not have a problem with largely backwards compatible command line arguments. I had noticed more substantive qemu changes between 0.9.x and 1.x myself that had led to keeping a "qemu-old" variant for some old virtual-machines not to change their apparent ''identity'' so far as the virtualized-devices were concerned. > …or update QEMU? As above, consider, including for the variant _inside_ xen, could that (if helpful) actually be changed from 0.10.2 'ancient' version, maybe backporting is not a problem. But, qemu users may well be able to update host distribution, as that is still supported across all architectures, whereas xen-hypervisor-i386 is only available in wheezy so can't just 'upgrade' on 32bit machines. Hope that helps, --Simon
Attachment:
signature.asc
Description: OpenPGP digital signature