Hi Peter and everyone,
first of all, thank you all for contributing to this thread!
On Mon, Dec 03, 2018 at 08:40:08PM +0000, Ben Hutchings wrote:
> > If so, the other fixes are probably not to much work. But implementing
> > BTI fixes is a long and unknown road. I cannot give any reliable numbers
> > how much work that would be. But anybody can estimate that this will be
> > much more than a few days to get done. There might be a shortcut for
> > some patches by back porting independent code chunks like I did with the
> > grant table code for Xen 4.1 (Wheezy) but for now, I can't oversee all
> > of this in total yet and I doubt that there will be a great shortcut to
> > be found.
> Having spent several days on similar backports for Linux 3.2 and 3.16,
> I recognise the likely difficulty and complexity of the task and I
> think it still needs to be done.
yes, we should fix what's (sensibly) possible to fix in xen 4.4.
So Peter, please go ahead and backport as much as you can, while updating
us (me or this list) on estimates as you get a better understanding of the work
required.
I assume it might also be a good idea if'd summarize the state
of the various (CVE) issues in NOTEs in data/dla-needed.txt in
security-tracker.git so that it's clearly visible in one location what
the status of backporting these fixes is. That information is also in
the mails of this thread, but that's not easy to find.
You can safely spend up to 4 or 5 (8h) days on this as we have some
backlog of undispatched hours accumulated and this is a good use for that.
(in related news, if you know someone who'd be interested to work on
LTS, please tell them to contact me.)
> (But for future releases we do seriously need to consider whether Xen
> should be covered by LTS, given the amount of work needed.)
can we discuss this now or should we postpone this to the beginning of
the Stretch LTS circle?
> > Another option would be backporting the Xen
> > 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
> > Stretch to Jessie. This could be done including testing within a few
> > hours, maybe a little more than a working day or less if we abandon Xen
> > 4.4.
> I don't see this as an acceptable option for LTS. We could maybe add a
> xen-4.8 package if it was popular in jessie-backports, but that doesn't
> excuse us from having to support 4.4.
agreed.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature