back to article How can it possibly be time to patch Xen again?

Hot on the heels of dumping a hot, steaming pile of patches on its users, the Xen project has squeezed out a maintenance release. Xen 4.5.2 hit the intertubes on Thursday, bringing with it 74 fixes and improvements, plus another five QEMU repairs. Xen folk say “We recommend that all users of the 4.5 stable series update to …

  1. larsk

    As I pointed out in a comment to an earlier Register article on the topic of maintenance releases: we *always* make maintenance releases every 3-4 months, which contain bug fixes (including security fixes). This release does not contain any new security fixes, only those which had already been publicly disclosed. In addition, the Xen Project does not make binary releases. It makes source releases which are consumed by distros and commercial products and services. The vast majority of Xen users do not use Xen directly, but use a distro, commercial variant of Xen or a Xen based service. Only a small number of users builds and uses Xen from source.

    Some of the commits, which have been highlighted in the article are of course XSA's : for example "xl: Sane handling of extra config file arguments" includes XSA-137. This is also an excellent example, which shows how we review older code after an XSA is discovered and harden it. The number of fixes in a maintenance release, is well within the normal range for similar sized projects or products. If it is higher, than this is a reflection of the needs of different vendors and distributions who request backports of specific bug fixes for their own convenience to avoid having to carry large patch queues, in accordance with our maintenance release policy at

  2. Anonymous Coward

    wah wah wah...

    You flinched.

    I do give you props for this statement, not only doing it, but announcing it:

    " which shows how we review older code after an XSA is discovered and harden it. "

    1. larsk

      Re: wah wah wah...

      I guess you are referring to my comment. I am just getting annoyed at the constant barrage of news stories related to Xen. I mean it's nice in some way, because writing stories about Xen obviously lead to traffic at The Register, which means that the project is important enough to get coverage. But sometimes there just is no story, like in this case.

      1. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

        Re: Re: wah wah wah...

        If there's no story, why do you folks blog the releases?

        I do the maintenance releases as a PSA, BTW.

        And yes, we do consider you important enough to cover in detail.


  3. batfastad

    A lousy time?

    ... I'm not so sure. Ok it's annoying to have to patch software in your environments. But I always find it encouraging to see software vendors/developers release patches regularly and rapidly.

    Anyone who thinks any software is bug-free is dreaming. With open source software you at least have that visibility and transparency and in theory alot more scrutiny on the code than with closed source. I shudder to think of how many critical bugs there are in MS software (simply an example) that few outside of MS will ever know about and that might never be patched before the next major release in X years.

  4. EPurpl3

    Nice article, what's Xen? :D

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like