femme Ⓐ Ⓥ 🆓✅Apr 4, 2017

Yikes. https://www.qubes-os.org/news/2017/04/04/qsb-29/

Xen is looking more and more as a liability. Subgraph OS which takes a completely different approach (sandboxing + hardened kernel) has a much better track record with the only vulnerability being dirtycow. Qubes has been affected multiple times due to Xen bugs in recent years: https://www.qubes-os.org/security/xsa/

Show thread\u221e ✅Apr 5, 2017
@femme How does the comparison go when you account for the fact that Subgraph has a much shorter track record?
Show thread\u221e ✅
@femme I mean, Qubes has existed 5x longer than Subgraph has (five years vs. one year), so you would expect to see more reported bugs, even if you assume there's equal numbers of bugs existing and equal interest in finding Xen bugs as finding Subgraph bugs...
Apr 5, 2017 at 1:23amWeb
Show threadfemme Ⓐ Ⓥ 🆓✅Apr 5, 2017
@covalent True, but it seems that Xen escapes are much more common than grsecurity privilege escalation despite many people looking for linux bugs (maybe more than Xen). I haven't heard of any plans of Xen to address the security issues other than addressing them one by one as they come up which isn't proactive enough imo. Hopefully the move away from PV with Qubes 4.0 will help.