On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
> Hi out there,
> Another option would be backporting the Xen
> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
> Stretch to Jessie.
What would be the point? If you migrate to a complete new Xen release,
then you can just as well migrate to stretch (which will also have
proven, compatible matching versions of libvirt/Linux/qemu/ etc.
If some of the Spectre mitigations can't be backported, make a detailed
writeup of what people are missing in 4.4 and let them handle it
based on that data (update to stretch or stick with 4.4/jessie); there's
still plenty of legitimate use cases which can be run in a secure
manner with 4.4 (internal VMs with trusted users etc).
Cheers,
Moritz
