Hi Moritz, Hi all! sorry for replying late. I picked up a cold and was out of office some days.
On 28.11.18 22:44, Moritz Muehlenhoff wrote: > On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote: >> Hi out there, >> Another option would be backporting the Xen >> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from >> Stretch to Jessie. > What would be the point? If you migrate to a complete new Xen release, > then you can just as well migrate to stretch (which will also have > proven, compatible matching versions of libvirt/Linux/qemu/ etc. yes, I totally agree. But before traveling a long and, by looking at the workload, expensive road I wanted anybody on the same page about this. > If some of the Spectre mitigations can't be backported, make a detailed > writeup of what people are missing in 4.4 and let them handle it > based on that data (update to stretch or stick with 4.4/jessie); there's > still plenty of legitimate use cases which can be run in a secure > manner with 4.4 (internal VMs with trusted users etc). I doubt that this is a valid point. In a (totally) "secure" environment (=internal VMs) with trusted users, there is not much point doing most of the security fixes at all. But we do this? Because there is no such thing as a (perfect) secure environment. The only questions to be asked are: A) can we do it? B) can it be afforded? What users might do with the software distributed is out of our scope. While question A is very technical and right now for me not clearly to be answered with a "yes" - at least not 100% - Question B is not only about available working time but also about commitment. How much workload a (LTS) project is willing to take? Cheers Peter -- Peter Dreuw Teamleiter Tel.: +49 2166 9901-155 Fax: +49 2166 9901-100 E-Mail: [email protected] gpg fingerprint: 33B0 82D3 D103 B594 E7D3 53C7 FBB6 3BD0 DB32 ED41 http://www.credativ.de/ ********************************************** Jetzt neu: Elephant Shed - PostgreSQL Appliance PostgreSQL und alles was dazugehört Von Backup über Monitoring bis Reporting: https://elephant-shed.io/index.de.html ********************************************** credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer Unser Umgang mit personenbezogenen Daten unterliegt folgenden Bestimmungen: https://www.credativ.de/datenschutz
<<attachment: peter_dreuw.vcf>>
