On 2016-05-17 15:21:16, Guido Günther wrote: > On Tue, May 17, 2016 at 12:13:29PM -0400, Antoine Beaupré wrote: >> On 2016-05-13 09:00:59, Antoine Beaupré wrote: >> > So if we're going to do this painful work, might as well maintain some >> > qemu interface in wheezy as well. I am not sure I see what additional >> > cost this would bring: although the attack surface is larger on qemu and >> > Xen uses only some parts of the Qemu codebase, disclosed vulnerabilities >> > concern mostly HVM support in Xen, and not the "unused from Xen" qemu >> > codebase... >> > >> > But yeah, this seems exactly stuff that our sponsored Xen support team >> > should look into. ;) >> >> Did anyone contact the sponsored xen support team yet? How *do* we >> contact those folks anyways? >> >> An almost textbook example of the problems we're talking about here: >> >> http://xenbits.xen.org/xsa/advisory-179.html >> >> Was marked as EOL in wheezy, but completely ignored the fact that it is >> a Xen advisory, and that Xen *is* vulnerable! > > I think this should not be marked EOL. Should we decide to not support > QEMU (standalong) in Wheezy this does not mean we also won't support the > embedded QEMU in XEN (since it's only a subset). These are separate > things.
Okay, that makes sense to me. A. -- The idea that Bill Gates has appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams (1952-2001)
