I’m sure you have read some variation on Critical Xen vulnerability went undiscovered for seven years by Mark Stockley over the past day or so.
Mark has a good summary of the issue, etc., but I want to highlight the response of Ian Jackson, who Mark quotes in his post:
…
Ian Jackson, a long-time open source veteran and a member of the Xen Project Security Team provides a response on the Xen Project blog.
He explains why he thinks some people have the impression that Xen is buggier than other similar products:
Unlike almost all corporations, and even most Free Software projects, the Xen Project properly discloses, via an advisory, every vulnerability discovered in supported configurations.
... For researchers developing new analysis techniques, Xen is a prime target. A significant proportion of the reports to security@xenproject are the result of applying new scanning techniques to our codebase. So our existing code is being audited, with a focus on the areas and techniques likely to discover the most troublesome bugs.
More interesting than that though is his honest appraisal of the state of computer security and what he sees as our collective attitude to it:
The general state of computer security in almost all systems is very poor. The reason for this is quite simple: we all put up with it. We, collectively, choose convenience and functionality: both when we decide which software to run for ourselves, and when we decide what contributions to make to the projects we care about. For almost all software there is much stronger pressure (from all sides) to add features, than to improve security.
Ultimately, of course, a Free Software project like Xen is what the whole community makes it. In the project as a whole we get a lot more submissions of new functionality than we get submissions aimed at improving the security.
In other words, if we want better computer security then it necessarily comes at the expense of something else (typically, something shiny.)
…
From a marketing/upgrade perspective, you know who wins in a struggle between features and security.
At least until consumers start voting with their feet in favor of security and not features. Liability for failures of security would help a lot to tip the balance in favor of security. Are there any common law judges listening?
One other bit of useful (if not encouraging) news from Mark’s post: The bug became apparent only when looking at logic flows and not code. Add another dimension to your analysis, logic flows.