Hi, On Wed, Feb 16, 2011 at 04:19:23PM -0500, Bernardo Innocenti via RT wrote: > > SSH is visible but Debian 5 is still supported for at least a year, so > > no impact on security. > > SSH is also not accessible from the public internet on most of our > Dom0s... Colonialone seems to be the only exception. > > For improved security, we could limit access to the IPs of people how > need to have access? Regardless of which version of Debian we use, this > would protect us from 0-day exploits and compromised keys.
That would be quite inconvenient. This is also an extremely risky way to consider security, because AFAICS it makes you think running a 1000-days-old kernel (with at least 2 root privilege escalation kernel exploits around) is safe. > > > Whenever you choose to go ahead, I could assist you any day from 10am to > > > 4pm. > > > > Does that include going at the colo? > > As long as we don't make the machine unbootable, we should be able to > recover it remotely from the serial console. And it's actually the 'make the machine unbootable' case that I want to cover :) That, and your expertise on possible coreboot-related Xen issues. Let us know when you have tested recent Xen some more :) -- Sylvain