On 10/24/07, Paul de Weerd  wrote:
> This is the theory. In theory, there's no bugs in OpenBSD. In

quoted text
> practice, many of the commits to the tree are not new features/drivers

> but actual bugfixes. Read the paper by Tavis Ormandy, referenced by

> Theo. There is a real problem with virtualization. Until all bugs are

When you read Ormandy's paper, referenced by Damien Miller, in regards

to Xen, you find:
1. Ormandy states that Xen's design is congruent with good security
2. Ormandy doesn't actually demonstrate a Dom0 -> DomU escalation, and

in fact, didn't test any HVMs at all.
3. Qemu compromises != Xen HVM Qemu compromises
Furthermore:
1. Upstream patches already exist [1] in response to Ormandy's bug report [2]
> fixed, virtualization is worse than real hardware. And it'll be hard

quoted text
> to prove all the bugs are fixed.

Unless you are using a purely functional language implemented directly

on provably correct hardware, it's impossible to (mathematically)

prove a program is free of bugs. Since you want to solve real-world

problems, you make a tradeoff between features you want and issues you

can live with.
OpenBSD is very, very, very good at security.
On the other hand, if you want to program a fast, parallelized quantum

gravity model to run on a large cluster of OpenMosix nodes, it's not

the right tool for the job.
In the scientific cluster computing and enterprise spaces, it's

already well demonstrated, by many, many practitioners in those fields

[3], that virtualization is a very, very good tool.
> Paul 'WEiRD' de Weerd
[1] https://launchpad.net/ubuntu/+source/xen-3.1/
[2] http://secunia.com/advisories/26986/
[3] In addition to my own work, I can point to colleagues and

organizations, for example, http://cse.ucdavis.edu and

http://immunetolerance.org
Adam

--

"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu