Re: Xen 4.4 updates vs. Xen Stretch backport

To: Peter Dreuw <peter.dreuw@credativ.de>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Xen 4.4 updates vs. Xen Stretch backport
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 28 Nov 2018 22:44:52 +0100
Message-id: <[🔎] 20181128214452.acv4oa4rkvqn5tll@inutil.org>
In-reply-to: <[🔎] 9bf4c119-d940-c01b-fb95-dd8ad433f866@credativ.de>
References: <[🔎] 9bf4c119-d940-c01b-fb95-dd8ad433f866@credativ.de>

On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
> Hi out there,
> Another option would be backporting the Xen
> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
> Stretch to Jessie.

What would be the point? If you migrate to a complete new Xen release,
then you can just as well migrate to stretch (which will also have
proven, compatible matching versions of libvirt/Linux/qemu/ etc.

If some of the Spectre mitigations can't be backported, make a detailed
writeup of what people are missing in 4.4 and let them handle it
based on that data (update to stretch or stick with 4.4/jessie); there's
still plenty of legitimate use cases which can be run in a secure
manner with 4.4 (internal VMs with trusted users etc).

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Xen 4.4 updates vs. Xen Stretch backport
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- Xen 4.4 updates vs. Xen Stretch backport
  - From: Peter Dreuw <peter.dreuw@credativ.de>

Prev by Date: Xen 4.4 updates vs. Xen Stretch backport
Next by Date: not many tasks in dla-needed.txt, is extra CVE triaging required
Previous by thread: Xen 4.4 updates vs. Xen Stretch backport
Next by thread: Re: Xen 4.4 updates vs. Xen Stretch backport
Index(es):
- Date
- Thread