Hacker News new | comments | ask | show | jobs | submit login

No mention of security? Xen isn't perfect, but according to the Qubes team it's the best we've got.

> We still believe Xen is currently the most secure hypervisor available, mostly because of its unique architecture features, that are lacking in any other product we are aware of.

https://raw.githubusercontent.com/QubesOS/qubes-secpack/mast...




That's hypothetical security, of course. In a practical sense Xen has seen several major security vulnerabilities, such as Venom.

Not that other VM systems haven't suffered similar problems. But when real-world experience shows that, for example, Xen is no less vulnerable to the most damaging exploits than any other VM manager then the hypothetical security advantages evaporate away and it no longer becomes a useful justification for preferring Xen.


Venom was a vulnerability in Qemu, not Xen, which has a containment mechanism (stub domains) for this class of vulnerability. In addition, PV Linux VMs do not use Qemu, so were not vulnerable. Qubes contained Qemu in stub domains, so was not vulnerable, https://groups.google.com/forum/m/#!topic/qubes-users/uRg6gk...


Case in point: I received 12 hours of notice on a Sunday before my master database was rebooted to patch a Xen security flaw http://status.linode.com/incidents/2dyvn29ds5mz On the plus side, great Xen effort to to roll out fixes before it became a public zero day.


wait, but didn't you just contradict yourself?

> cool that xen rolled out fixes before zero day

> not cool that your vm was promptly rebooted to apply the fix


    > not cool that your vm was promptly rebooted to apply fix
Not sure where you got the "not cool" part, I believe the parent post just said "this happened", not "it sucks that this happened", I could be wrong though


They rolled out the patch over two weeks time. The first fixes were after 12 hours, and could have likely waited at least 1 business day to give me proper notice.


The majority of the serious Xen security issues affected HVM, not PV.


Good point.


You're surprised that Linode isn't addressing security?

I've been a Linode customer for most of their 12 years, but my only complaint (and the reason I don't use them for anything I _really_ care about) is that they have always been very opaque about security.


Opaque isn't the word I'd use to describe Linode security.


Yes, Linode being opaque was my experience too. I remember a really weird discussion with their support about HTTPS load balancing.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: