Re: CVS commit: src/sys

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 03/10/2017 à 18:53, Christos Zoulas a écrit :
> In article <20171003162103.GA25760%britannica.bec.de@localhost>,
> Joerg Sonnenberger  <joerg%bec.de@localhost> wrote:
> > On Tue, Oct 03, 2017 at 04:03:49PM +0200, Maxime Villard wrote:
> > > Le 03/10/2017 à 15:52, Kamil Rytarowski a écrit :
> > > > On 03.10.2017 15:35, Greg Troxel wrote:
> > > > > Then, I think the debate
> > > > > reduces to "should the checked-in GENERIC enable the emulation sysctl".
> > > >
> > > > I don't see a better answer to this question: yes, no or depends on the
> > > > flavor of the kernel.
> > > >
> > > > My personal preference is to keep it enabled by default
> > >
> > > Let me just expose my point in another way, and try to prevent possible
> > > misunderstandings: compat_linux and friends *must be disabled by default*.
> >
> > This is *exactly* the point a lot of people disagreed with.
>
> Yes, and for that we need to come up with a policy on the default OS
> configuration. Do we provide by default the most secure configuration,
> or the most usable one with easy ways to change from one to the other?

What about you both cut the drama and the bullshit right here. What has been
said already repeatedly, again, and again, is that choosing one side over the
other just does not work. There is no "most secure", there is no "most usable".
There is the *middle* of it; some security with features that are still
compiled but not accessible by unpriv user by default, some usability with a
way to enable the feature that requires the least effort possible.