On Tue, Nov 10, 2015 at 1:09 PM, Lars Kurth <lars.kurth....@gmail.com>
wrote:

>
> > On 9 Nov 2015, at 18:15, Wojtek Porczyk <w...@invisiblethingslab.com>
> wrote:
> >
> > On Mon, Nov 09, 2015 at 04:31:58PM +0000, Franz wrote:
> >> Perhaps a way out of this impasse is to put bounties on Xen security
> tasks
> >> identified by Joanna and properly advertise these bounties to Xen users.
> >> [snip]
> >
> > This is fundamentaly wrong idea. Security isn't something you can
> > "apply" or put bounty on. It's a state of the mind, especcialy
> > developer's.
>
> I don't think this was what was proposed. What was proposed, if I
> understood correctly, was to use funds to sponsor solutions to specific
> problems in specific areas of code that have been developed in the past and
> where we may have issues due to past mistakes.
>
>
Yes Lars of course, and also changing mindset has real costs, because a
more security oriented mindset involves some additional work, some hard
thinking, some additional study, something already done that needs recoding
etc.  I mean it is not simply an act of will, rather a targeted effort. A
security mindset is slowing developing in the whole society and I see Qubes
developers as the more advanced front. The reality is changing fast. A
serious  bug in Xen practically means that all my passwords can be stolen
from my no-network VM or even more seriously that the life of an activist
can be compromised. These facts are dramatic or tragic and the situation is
constantly and fast worsening. So nobody is guilty for 7 years old code
developed in a different situation, but the same Joanna words are totally
justified and welcome. We have to face reality and take action. From my
point of view It is a matter of educating those who pay, for that I offered
to write some copywriting.
Best
Fran


> > Joanna wrote in her mail:
> >
> >>>> I can't help but have a feeling that some of the Xen developers seem
> to be
> >>>> overconfident in their belief they can fully understand all the
> possible
> >>>> execution paths in their code. Well, the XSAs quoted above are an
> indisputable
> >>>> prove that this is not quite always the case. Realizing that, each
> developer by
> >>>> themselves, might be a great step towards a more secure hypervisor...
> >
> > And that's why we can't just "submit a patch" to "contribute security".
>
> Although I agree that you can't submit a patch to fix security, it is
> possible to focus on some areas you care about and lead by example. In
> particular, if you believe that there is a mindset problem today. I think,
> you do also need to distinguish between what was happening in the past and
> what the project does today. There is little point to complain about what
> developers, who now don't work on Xen any more, did in the past. In
> particular, as the vast majority of active developers in the project were
> not around 6-7 years ago.
>
> > There is something wrong with Xen as a whole project, but that something
> > isn't the code. There is a mindset to be fixed.
>
> I think this is a rather generalising statement, and maybe it would be
> more fruitful to focus on some concrete areas that can be improved. I also
> believe, that there has been a significant shift in mindset in many areas
> in the project in the last few years.
>
> Lars
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Reply via email to