AB Meeting/May 2015 Minutes

From Xen
Jump to: navigation, search

Attendees

Lars Kurth
Sarah Conway (LF)
Laura Kempke (LF)

Larry Wikelius (Cavium)
Donald Slutz (Verizon)
Antony Messerli (Rackspace)
Guido Trotter (Google)
Philippe Robin (ARM)
Sherry Hurwitz (AMD)
James Bulpin Citrix), joined late

(quorum)

Agenda

Attached documents at File:May 15 AB Meeting.pdf

Xen Project Developer Summit (Lars)

* Quick update on talk submissions and schedule (see attached PDF)

RESOLUTION: Travel stipend of $2500 (the estimate is $2200) for Martin Lucina who is in the top 5 rated talk submissions covering flights from Vienna to Seattle + Accommodation. 
* We have budgeted for $5K in 2015 and not spent anything

Carried

Test Lab Update (Lars)

* Status Update (see attached PDF)

RESOLUTION: Do we accept APM's Donation of 2 X-C1 EVK kits (total value $5,200) - the test framework WG recommends to do so
Carried

* Reminder: we should start to plan expansion – aka what type of new kit do we want to procure in Q3

OpenStack Update (Lars)

* CI Loop Status Update & Next steps (see attached PDF)

Action: Lars to take steps for project to carry cost of CI loop
Cost breakdown by Bob Ball
---
Server cost for Feb 21 to Mar 21: $1223
Server cost for Mar 21 to Apr 21: $1744 – but that’s end-of-cycle rush so would be higher than normal traffic.
 
Then there is a small extra cost for cloud files storage and CDN, but I can’t split that out from the esiting charges; I estimate $50 per month.
 
On average I’d guess that might be $1,500 per month or $18k per-annum then?
---
Action: Lars – discuss at next meeting re CI loop (done)

PR Update (Sarah)

Venom post-mortem
* The press cycle went quickly this time
* CloudStrike was pro-active and branded the vulnerability
* CloudStrike did break the embargo (press interview, website went live 4 hours before the embargo time)
* Technically they are not on the pre-disclosure list and are the discoverers of the issue, thus we cannot take any action

Sarah: has now a pre-prepared statement for the press in case we have similar issues in future
Sarah: after a day or two the articles related to Venom were more balanced and partly called out CloudStrike
Sarah: Tamas' article was too late for the news cycle (see https://blog.xenproject.org/2015/05/14/hardening-hypervisors-against-venom-style-attacks/)

Antony: I posted a message on the security list to investigate whether in cases where no fix can be found two weeks prior to disclosure, the disclosure list can be informed with information that is available at that given time

Action Lars: follow up when back from the OpenStack summit
For A) get the timeline : see http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02872.html ([SECURITY] XSA-133 Retrospective)
For B) for the process change, see http://lists.xenproject.org/archives/html/xen-devel/2015-06/msg00052.html ([Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015)

Sarah: interesting that CrowdStrike gained the coverage they got, which makes it more likely that there will be more branded vulnerabilities with attached marketing campaign in future

* Upcoming press releases and opportunities
Mirage: 2.5 Release - want to release at QCON (will come through as draft pretty quickly, assuming the Mirage team provides the relevant information)
Mirage Jitsu Release: Jitsu - not quite ready to be releases. Expect release in Sept/Oct
Mirage 3.0: Q3
Xen 4.6: Q3

Lars: Note that there was a proposal to change Xen version numbering, but it seems there is not enough traction for it http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg00365.html ([Xen-devel] (release) versioning). On a related note, there was also a proposal to change the maintenance release cadence to 4 months (instead of 3) - see http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg00361.html ([Xen-devel] stable release cadence) for which there was agreement. We didn't think a formal vote was required.

Lars asked Sarah whether moving up quality groups in OpenStack was worthy a press release or whether a blog post is enough
*All agreed that a blog post is better*

See: https://blog.xenproject.org/2015/05/20/xen-project-now-in-openstack-nova-hypervisor-driver-quality-group-b/

Live Patching (Konrad)

* A draft solution was discussed at the Hackathon
* Konrad posted an RFC v1 design to interested parties before it went toxen-devel@ list
* v2 was posted on xen-devel at http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02142.html
There has been some discussion, but I expect this to be stalled until Konrad is back from vacation

AOB

None