[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Xen 4.4 updates vs. Xen Stretch backport

Hi Moritz, Hi all!

sorry for replying late. I picked up a cold and was out of office some

On 28.11.18 22:44, Moritz Muehlenhoff wrote:
> On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
>> Hi out there,
>> Another option would be backporting the Xen
>> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
>> Stretch to Jessie.
> What would be the point? If you migrate to a complete new Xen release,
> then you can just as well migrate to stretch (which will also have
> proven, compatible matching versions of libvirt/Linux/qemu/ etc.
yes, I totally agree. But before traveling a long and, by looking at the
workload, expensive road I wanted anybody on the same page about this.
> If some of the Spectre mitigations can't be backported, make a detailed
> writeup of what people are missing in 4.4 and let them handle it
> based on that data (update to stretch or stick with 4.4/jessie); there's
> still plenty of legitimate use cases which can be run in a secure
> manner with 4.4 (internal VMs with trusted users etc).

I doubt that this is a valid point. In a (totally) "secure" environment
(=internal VMs) with trusted users, there is not much point doing most
of the security fixes at all. But we do this? Because there is no such
thing as a (perfect) secure environment.

The only questions to be asked are:

A) can we do it?

B) can it be afforded?

What users might do with the software distributed is out of our scope. 
While question A is very technical and right now for me not clearly to
be answered with a "yes"  - at least not 100% - Question B is not only
about available working time but also about commitment. How much
workload a (LTS) project is willing to take?



Peter Dreuw
Tel.:  +49 2166 9901-155
Fax:   +49 2166 9901-100
E-Mail: Peter.Dreuw@credativ.de

gpg fingerprint: 33B0 82D3 D103 B594 E7D3  53C7 FBB6 3BD0 DB32 ED41

Jetzt neu: 
Elephant Shed - PostgreSQL Appliance
PostgreSQL und alles was dazugehört

Von Backup über Monitoring bis Reporting: 

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz

fn:Peter Dreuw
org:credativ GmbH;Team Support
adr;quoted-printable:;;Trompeter Allee 108;M=C3=B6nchengladbach;Nordrhein-Westfalen;41189;Deutschland
note;quoted-printable:gpg fingerprint: 33B0 82D3 D103 B594 E7D3  53C7 FBB6 3BD0 DB32 ED41=0D=0A=
	credativ GmbH, HRB M=C3=B6nchengladbach 12080=0D=0A=
	USt-ID-Nummer: DE204566209=0D=0A=
	Gesch=C3=A4ftsf=C3=BChrung: Dr. Michael Meskes, J=C3=B6rg Folz, SaschaHeu=

Reply to: