[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On reporting CPU flags that provide mitiation (to CVE flaws) as Nova 'traits'

On May 15, 2019, at 4:50 PM, Eric Fried <openstack at> wrote:
>>>> There's no consensus here.  Some think that we should _not_ allow those
>>>> CPU flags as traits which can 'allow' you to target vulnerable hosts.
>>> for what its worth im in this camp and have said so in other places
>>> where we have been disucssing it.
>> Yep, noted.
> My position is that it's not harmful to add them to os-traits; it's
> whether/how they're used in nova that needs some thought.

They may not be "harmful", but they set a very bad precedent. I don't want to see os-traits become "Oh, just dump the trait in there, and maybe someday someone will use it".

-- Ed Leafe