On 01/11/2018 03:38 AM, Rich Persaud wrote:
> Across the computer industry, it is clear that a small subset of specialists
> have known about this issue for some time: developers who worked on
> candidate fixes ahead of the public announcement, experts who warned about
> microarchitecture risks years ago, and any adversaries who acted on their
> warnings. Some people had advance information & time to consider candidate
> solutions, most [1] of the world did not.
>
> As a customer of $HW_vendor / Xen / $OS_vendor / $APP_vendor, the last thing
> I want to hear is that world-class specialists who have had weeks/months to
> evaluate candidate fixes have been unable to reach agreement and propose to
> delegate the decision TO CUSTOMERS (?!) That would be customers with only
> days of exposure to the CVE details, who still have to keep their regular
> business running, while trying to understand a complex security issue that
> eluded experts for decades.
I hope I'm not saying too much to say this: Those who knew about this
were not working according to the normal XenProject Security Team rules;
in fact the XenProject Security Team as such was only officially told on
3 January (the same day the issue went public). Those who knew were
working under NDA and sharing of information was severely restricted,
*even on people in the same team at the same organization*.
In the week that we've been able to openly discuss it, we've already
come up with a large number of much better ideas than the people "in the
know" were able to come up with crippled by a lack of ability to
communicate.
I'm sure I speak for a number of people when I say that we're just as
unhappy with that situation as you are.
-George
___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel