From mboxrd@z Thu Jan  1 00:00:00 1970
From: Keir Fraser <keir@xen.org>
Subject: Re: Security support for debug=y builds (Was Re: Xen
 Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect
 ASSERT (debug build only))
Date: Mon, 07 Jan 2013 11:08:20 +0000
Message-ID: <CD105D24.56EC3%keir@xen.org>
References: <1357554072.14291.129.camel@zakaz.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1357554072.14291.129.camel@zakaz.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Campbell <ijc@xen.org>, "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>, xen-users <xen-users@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

On 07/01/2013 10:21, "Ian Campbell" <ijc@xen.org> wrote:

> On Fri, 2013-01-04 at 16:01 +0000, Xen.org security team wrote:
>>      Hypervisor crash due to incorrect ASSERT (debug build only)
> 
> While dealing with this issue the security team was faced with the
> question as to whether bugs which are exposed only in debug=y builds
> should be considered security relevant (i.e. would normally require an
> embargo period, a full advisory, etc).
> 
> The Security Response Policy[0] does not offer any guidance on this
> issue. We concluded that we should treat this issue as a normal Security
> issue and then seek guidance from the community as to what we should do
> in the future.
> 
> So what are your expectations for security sensitive bugs which only
> affect debug builds? Note that debugging is disabled by default and that
> we would recommended running non-debug builds in production.
> 
> Options which I can think of are:
> 
>       * debug=y bugs are Just Bugs and not security issues. i.e. they
>         are discussed and fixed publicly on xen-devel and the fix is
>         checked in in the usual way. There is no embargo or specific
>         announcement. changelog may or may not refer to the security
>         implications if debug=y is enabled.

This is my preference. I consider debug builds to be developer builds, and
wouldn't expect to see them used in production environments. We set debug=n
by default in our stable branches for that reason.

 -- Keir

>       * debug=y bugs are security issues regardless, they are treated
>         like any other security issue, i.e. following the process[0].
>       * debug=y bugs are somewhere in the middle. (perhaps no embargo,
>         less formal announcement etc etc)
>       * ...
> 
> Any input appreciated. I will draft a process update as necessary based
> on the response.
> 
> Ian.
> 
> [0] http://www.xen.org/projects/security_vulnerability_process.html
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel