Re: [Xen-devel] Consensus in Parallel Universe Responses to Spectre/Meltdown

2018-01-11 Thread George Dunlap 
On 01/11/2018 03:38 AM, Rich Persaud wrote:
> Across the computer industry, it is clear that a small subset of specialists 
> have known about this issue for some time:  developers who worked on 
> candidate fixes ahead of the public announcement, experts who warned about 
> microarchitecture risks years ago, and any adversaries who acted on their 
> warnings.  Some people had advance information & time to consider candidate 
> solutions, most [1] of the world did not.
> 
> As a customer of $HW_vendor / Xen / $OS_vendor / $APP_vendor, the last thing 
> I want to hear is that world-class specialists who have had weeks/months to 
> evaluate candidate fixes have been unable to reach agreement and propose to 
> delegate the decision TO CUSTOMERS (?!)  That would be customers with only 
> days of exposure to the CVE details, who still have to keep their regular 
> business running, while trying to understand a complex security issue that 
> eluded experts for decades.

I hope I'm not saying too much to say this: Those who knew about this
were not working according to the normal XenProject Security Team rules;
in fact the XenProject Security Team as such was only officially told on
3 January (the same day the issue went public).  Those who knew were
working under NDA and sharing of information was severely restricted,
*even on people in the same team at the same organization*.

In the week that we've been able to openly discuss it, we've already
come up with a large number of much better ideas than the people "in the
know" were able to come up with crippled by a lack of ability to
communicate.

I'm sure I speak for a number of people when I say that we're just as
unhappy with that situation as you are.

 -George

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] Consensus in Parallel Universe Responses to Spectre/Meltdown

2018-01-10 Thread Anthony Liguori 
On Wed, Jan 10, 2018 at 7:38 PM, Rich Persaud  wrote:
> On Jan 10, 2018, at 11:39, Ian Jackson  wrote:
>
>
> [ Disclaimer: non-technical, PM-oriented message ahead.  Opinions expressed
> are those of this individual and not former/current employers or clients. ]
>

[Snip]

We had a plan and have been working together in a common direction but
the embargo broke early and we ran out of time.

We are now trying to figure out what to do given that.  We're all
trying to make the best of a bad situation.

Regards,

Anthony Liguori

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel