git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On reporting CPU flags that provide mitiation (to CVE flaws) as Nova 'traits'


On May 15, 2019, at 4:50 PM, Eric Fried <openstack at fried.cc> wrote:
> 
>>>> There's no consensus here.  Some think that we should _not_ allow those
>>>> CPU flags as traits which can 'allow' you to target vulnerable hosts.
>>> 
>>> for what its worth im in this camp and have said so in other places
>>> where we have been disucssing it.
>> 
>> Yep, noted.
> 
> My position is that it's not harmful to add them to os-traits; it's
> whether/how they're used in nova that needs some thought.

They may not be "harmful", but they set a very bad precedent. I don't want to see os-traits become "Oh, just dump the trait in there, and maybe someday someone will use it".


-- Ed Leafe