On Thu, May 12, 2016 at 10:07:17AM -0400, Antoine Beaupré wrote: > On 2016-05-12 10:00:24, Guido Günther wrote: > >> qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I > >> think Guido is studying how to support virtualisation related packages, > >> and maybe we should wait for his evaluation. > > > > I had zero feedback on supporting qemu so I'd propose to drop it. We can > > keep libvirt in the current version if we don't update qemu and it seems > > to be in use in Wheezy quiet a bit (and dropping it would kill of quiet > > some programs due to the dependency chain) so I'd propose to keep it. > > Regarding qemu, keep in mind it's an integral part of Xen, specifically > the HVM bits, if i'm not mistaken. > > So dropping qemu support there means dropping *parts* of the Xen support > as well. > > I must say I'd be glad to do that because backporting those bits in xen > was specially painful, but it might give users a false sense of security > to say that Xen is supported, but only partially. The frontier there is > not always clear to me. > > I would rather see qemu supported, in other words. But the version in > wheezy is really old, and in xen/wheezy even more so.
AFAIK Xen in Wheezy is using the version shipped with Xen itself and we have gathered extra support for this so dropping QEMU/KVM in Wheezy shouldn't have any negative effects on Xen. Cheers, -- Guido
