Xen Project

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved a Core Infrastructure Initiative (CII) badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your badge status on your project page! The badge status looks like this: Badge level for project 374 is passing Here is how to embed it:
You can show your badge status by embedding this in your markdown file:
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/374/badge)](https://bestpractices.coreinfrastructure.org/projects/374)
or by embedding this in your HTML:
<a href="https://bestpractices.coreinfrastructure.org/projects/374"><img src="https://bestpractices.coreinfrastructure.org/projects/374/badge"></a>

These are the Gold level criteria. You can also view the Passing or Silver level criteria.

 Basics 0/5

  • Identification

    Note that other projects may use the same name.

    Xen Project is a Linux Foundation Collaborative Project that develops the Xen Hypervisor and related virtualization technologies. The Xen Hypervisor is a leading virtualization platform that is powering some of the largest clouds in production today, such as Amazon Web Services, Rackspace Public Cloud, Alibaba Cloud (Aliyun) and many hosting services. It also fosters the creation of lightweight Unikernel systems with the Mirage OS incubator project, as well as many independent efforts which use our hypervisor as a base for their work.

  • Prerequisites

    Not enough for a badge.

    The project MUST achieve a silver level badge. [achieve_silver]

  • Project oversight

    Unknown required information, not enough for a badge.

    The project MUST have a "bus factor" of 2 or more. (URL required) [bus_factor]
    A "bus factor" (aka "truck factor") is the minimum number of project members that have to suddenly disappear from a project ("hit by a bus") before the project stalls due to lack of knowledgeable or competent personnel. The truck-factor tool can estimate this for projects on GitHub. For more information, see Assessing the Bus Factor of Git Repositories by Cosentino et al.

    Unknown required information, not enough for a badge.

    The project MUST have at least two unassociated significant contributors. (URL required) [contributors_unassociated]
    Contributors are associated if they are paid to work by the same organization (as an employee or contractor) and the organization stands to benefit from the project's results. Financial grants do not count as being from the same organization if they pass through other organizations (e.g., science grants paid to different organizations from a common government or NGO source do not cause contributors to be associated). Someone is a significant contributor if they have made non-trivial contributions to the project in the past year. Examples of good indicators of a significant contributor are: written at least 1,000 lines of code, contributed 50 commits, or contributed at least 20 pages of documentation.

  • Other

    Unknown required information, not enough for a badge.

    The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project]. [license_per_file]
    This MAY also be done by including a statement in natural language identifying the license. The project MAY also include a stable URL pointing to the license text, or the full license text. Note that the criterion license_location requires the project license be in a standard location. See this SPDX tutorial for more information about SPDX license expressions. Note the relationship with copyright_per_file, whose content would typically precede the license information.

 Change Control 1/4

  • Public version-controlled source repository

    Enough for a badge!

    The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). [repo_distributed]
    Git is not specifically required and projects can use centralized version control software (such as subversion) with justification.

    Uses git.

    Unknown required information, not enough for a badge.

    The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) [small_tasks]
    This identification is typically done by marking selected issues in an issue tracker with one or more tags the project uses for the purpose, e.g., up-for-grabs, first-timers-only, "Small fix", microtask, or IdealFirstBug. These new tasks need not involve adding functionality; they can be improving documentation, adding test cases, or anything else that aids the project and helps the contributor understand more about the project.

    Unknown required information, not enough for a badge.

    The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. [require_2FA]

    Unknown required information, not enough for a badge.

    The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. [secure_2FA]
    A 2FA mechanism that meets this criterion would be a Time-based One-Time Password (TOTP) application that automatically generates an authentication code that changes after a certain period of time. Note that GitHub supports TOTP.

 Quality 1/7

  • Coding standards

    Unknown required information, not enough for a badge.

    The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) [code_review_standards]
    See also two_person_review and contribution_requirements.

    Unknown required information, not enough for a badge.

    The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion [two_person_review]

  • Working build system

    Not enough for a badge.

    The project MUST have a reproducible build. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) [build_reproducible]
    A reproducible build means that multiple parties can independently redo the process of generating information from source files and get exactly the same bit-for-bit result. In some cases, this can be resolved by forcing some sort order. JavaScript developers may consider using npm shrinkwrap and webpack OccurenceOrderPlugin. GCC and clang users may find the -frandom-seed option useful. The build environment (including the toolset) can often be defined for external parties by specifying the cryptographic hash of a specific container or virtual machine that they can use for rebuilding. The reproducible builds project has documentation on how to do this.

    This would be a good idea. We don't have it right now, but we have accepted patches towards this goal (patches were submitted by the Debian reproducible builds folks).

  • Automated test suite

    Enough for a badge!

    A test suite MUST be invocable in a standard way for that language. (URL required) [test_invocation]
    For example, "make check", "mvn test", or "rake test".

    See the README files in the relevant repositories, as well as https://xenbits.xen.org/docs/xtf/

    Unknown required information, not enough for a badge.

    The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. (URL required) [test_continuous_integration]
    In most cases this means that each developer who works full-time on the project integrates at least daily.

    OSSTEST and the projects Test Farm implements continuous integration. In addition we do random build testing for different compilers (various gcc and clang versions) via Travis

    Warning: URL required, but no URL found.

    Unknown required information, not enough for a badge.

    The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_statement_coverage90]

    Unknown required information, not enough for a badge.

    The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_branch_coverage80]

 Security 2/5

  • Use basic good cryptographic practices

    Note that some software does not need to use cryptographic mechanisms.

    Enough for a badge!

    The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network comunications, select "not applicable" (N/A). [crypto_used_network]

    We do not use HTTP as an RPC transport. The toolstack software uses cryptography for migration, but it just uses whatever ssh you have as a transport (by default). We do support VNC, which has some encryption features. The encryption is entirely done by qemu using TLS.

    Enough for a badge!

    The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). [crypto_tls12]

    After checking with the Linux Foundation, we were advised that we do not need to verify such choices for upstreams we depend on. In our case, we use QEMU which uses TLS for VNC.

  • Secured delivery against man-in-the-middle (MITM) attacks

    Not enough for a badge.

    The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site]
    Note that GitHub is known to meet this. Sites such as https://securityheaders.io/ can quickly check this. The key hardening headers are: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options (as "nosniff"), X-Frame-Options, and X-XSS-Protection.

    X-Content-Type-Options was not set to "nosniff".

  • Other security issues

    Unknown required information, not enough for a badge.

    The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. [security_review]
    This MAY be done by the project members and/or an independent evaluation. This evaluation MAY be supported by static and dynamic analysis tools, but there also must be human review to identify problems (particularly in design) that tools cannot detect.

    Unknown required information, not enough for a badge.

    Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) [hardening]
    Hardening mechanisms may include HTTP headers like Content Security Policy (CSP), compiler flags to mitigate attacks (such as -fstack-protector), or compiler flags to eliminate undefined behavior. For our purposes least privilege is not considered a hardening mechanism (least privilege is important, but separate).

    This is rather vague and needs more information to identify what is acceptable and what is not.

 Analysis 2/2

  • Dynamic code analysis

    Enough for a badge!

    The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. [dynamic_analysis]
    A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

    The project runs American Fuzzy Lop over some portions of the codebase as part of its test infrastructure. This capability is being extended to cover more components. In addition tests which verify whether discovered, disclosed and fixed vulnerabilities are present in releases and master are run as part of the project's test infrastructure.

    In addition, 3rd party test infrastructure which has extensive fuzzing capability (such as Citrix' XenRT) are run on RCs (but also at regular intervals between releases) as part of the projects release process and issues are reported to the Xen Security team.

    Enough for a badge!

    The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. [dynamic_analysis_enable_assertions]

    The Xen Project code base has a large number of run-time assertions in DEBUG builds. The test infrastructure tests against both RELEASE and DEBUG builds.

This data is available under the Creative Commons Attribution version 3.0 or later license (CC-BY-3.0+). All are free to share and adapt the data, but must give appropriate credit. Please credit and the CII Best Practices badge contributors.

Project badge entry owned by: larskurth.
Entry created on 2016-09-13 12:41:15 UTC, last updated on 2017-04-07 12:28:15 UTC. Last achieved passing badge on 2017-04-07 12:27:27 UTC.