Re: Xen 4.4 updates vs. Xen Stretch backport

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Xen 4.4 updates vs. Xen Stretch backport
From: Peter Dreuw <peter.dreuw@credativ.de>
Date: Thu, 6 Dec 2018 10:45:29 +0100
Message-id: <[🔎] 64432d48-256e-9839-372f-70d79b40be21@credativ.de>
In-reply-to: <20181128214452.acv4oa4rkvqn5tll@inutil.org>
References: <9bf4c119-d940-c01b-fb95-dd8ad433f866@credativ.de> <20181128214452.acv4oa4rkvqn5tll@inutil.org>

Hi Moritz, Hi all!

sorry for replying late. I picked up a cold and was out of office some
days.

On 28.11.18 22:44, Moritz Muehlenhoff wrote:
> On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
>> Hi out there,
>> Another option would be backporting the Xen
>> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
>> Stretch to Jessie.
> What would be the point? If you migrate to a complete new Xen release,
> then you can just as well migrate to stretch (which will also have
> proven, compatible matching versions of libvirt/Linux/qemu/ etc.
yes, I totally agree. But before traveling a long and, by looking at the
workload, expensive road I wanted anybody on the same page about this.
> If some of the Spectre mitigations can't be backported, make a detailed
> writeup of what people are missing in 4.4 and let them handle it
> based on that data (update to stretch or stick with 4.4/jessie); there's
> still plenty of legitimate use cases which can be run in a secure
> manner with 4.4 (internal VMs with trusted users etc).

I doubt that this is a valid point. In a (totally) "secure" environment
(=internal VMs) with trusted users, there is not much point doing most
of the security fixes at all. But we do this? Because there is no such
thing as a (perfect) secure environment.

The only questions to be asked are:

A) can we do it?

B) can it be afforded?

What users might do with the software distributed is out of our scope. 
While question A is very technical and right now for me not clearly to
be answered with a "yes"  - at least not 100% - Question B is not only
about available working time but also about commitment. How much
workload a (LTS) project is willing to take?

Cheers

Peter

-- 
Peter Dreuw
Teamleiter
Tel.:  +49 2166 9901-155
Fax:   +49 2166 9901-100
E-Mail: Peter.Dreuw@credativ.de

gpg fingerprint: 33B0 82D3 D103 B594 E7D3  53C7 FBB6 3BD0 DB32 ED41
http://www.credativ.de/

**********************************************
Jetzt neu: 
Elephant Shed - PostgreSQL Appliance
PostgreSQL und alles was dazugehört

Von Backup über Monitoring bis Reporting: 
https://elephant-shed.io/index.de.html
**********************************************

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz

begin:vcard
fn:Peter Dreuw
n:Dreuw;Peter
org:credativ GmbH;Team Support
adr;quoted-printable:;;Trompeter Allee 108;M=C3=B6nchengladbach;Nordrhein-Westfalen;41189;Deutschland
email;internet:peter.dreuw@credativ.de
title:Teamleiter
tel;work:+4921669901155
tel;fax:+4921669901100
note;quoted-printable:gpg fingerprint: 33B0 82D3 D103 B594 E7D3  53C7 FBB6 3BD0 DB32 ED41=0D=0A=
	=0D=0A=
	credativ GmbH, HRB M=C3=B6nchengladbach 12080=0D=0A=
	USt-ID-Nummer: DE204566209=0D=0A=
	Gesch=C3=A4ftsf=C3=BChrung: Dr. Michael Meskes, J=C3=B6rg Folz, SaschaHeu=
	er
url:www.credativ.de
version:2.1
end:vcard

Reply to:

Follow-Ups:
- Re: Xen 4.4 updates vs. Xen Stretch backport
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: [libav LTS triaging] Re: Resource for PoCs found
Next by Date: Bug#915715: stretch-pu: package debian-security-support/2018.11.25~deb9u1
Previous by thread: Re: Xen 4.4 updates vs. Xen Stretch backport
Next by thread: Re: Xen 4.4 updates vs. Xen Stretch backport
Index(es):
- Date
- Thread