On Tuesday, May 2, 2017 at 10:12:18 PM UTC+2, Jean-Philippe Ouellet wrote: > > On Tue, May 2, 2017 at 8:10 AM, Andrew David Wong <[email protected] > <javascript:>> wrote: > > Some might argue that having only four fatal bugs (among other > not-that-fatal > > ones [15]) in 8 years is a reasonably good result, especially compared > to other > > desktop systems. We, however, have been deeply upset by each and every > of these > > bugs. In fact, after we learned of the second of these (XSA-212) 10 > months ago, > > we immediately began working on a way to move away from using PV-based > VMs and > > toward using only hardware-based virtualization (HVM) VMs in Qubes 4.x > [6]. > > Lets see... knew 10 months ago, XSA-212 public release was 2017-04-04, > (~1 month ago), so a 9 month embargo period for something so critical!?!? > > Is this a typo? Did you perhaps mean XSA-182 [1] (published 2016-07-26, > which was indeed closer to 10 months ago)? Is the Xen disclosure process > actually that slow?? >
No, the Xen disclosure process is pretty fast. As you can see at https://bugs.chromium.org/p/project-zero/issues/detail?id=1184 , XSA-212 was reported to the Xen project 2017-03-14. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/5c69d107-6564-4428-9136-c2f86ab51fe9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
