+-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+
| ...
| One thing we should do, however, is to make it clear which of the
| device models we consider secure, and which we consider only usable
| in a friendly guest environment, as we have very different code
| maintainership & quality standards for different parts of QEMU.
|
| Essentially virtio devices, and then only a handful of the emulated
| devices are things we consider suitable for usage in secure envs.
| Likewise for machine types probably.
True, +1.
It did come up in another thread. It'll surely be helpful to list these
professional and friendly components. 'Professional' being production ready
and thus security relevant. And 'Friendly' being experimental or not suitable
for production usage. Maybe like staging drivers in the kernel tree. They are
available for use but not considered production ready and thus are not
security relevant.
To be clear, irrespective of professional or friendly, we strive to fix every
single issue that is found and/or reported. Only difference is, professional
ones are tracked by a CVE ID and friendly ones are fixed as bug fixes, not
tracked by CVE ID.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F