tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: suenv

On Tue, 23 Oct 2012 12:21:42 -0400
Thor Lancelot Simon <> wrote:
> You appear to be ignoring the relevant standards.  A process is
> either threaded or it is not, and thus a shared object which
> may be loaded into arbitrary processes must not use threads.

I'm not ignoring the standards, I'm just not ignoring the situation,
either. Something which used to soft-fail now hard-fails (correctly),
and this has bitten someone who is now trying to work out what would
make a temporary fix possible in similar situations.

> Doing so in authentication software is just insane.  In the
> real world I live in, one needs to be particularly careful
> with security software, not the other way around.


> Nasty hacks like subverting the protection against LD_PRELOAD
> on setuid executables are not called for in a case like this.
> If we resort to them, why should our users trust us to deliver
> quality software?  If you want the wild west, you can find
> Debian's openssl patches over there ----->.

I'm not advocating his hack, merely noting that there's a Real World
reason why it has been suggested. It reminds me of the old joke,
“Doctor, it hurts when I do this.” “Don't do that then.” As someone who
uses Linux as well as BSD I see exactly the same thing happen “over
there”. Sometimes the crazy hacks that distributions put in place are a
response to upstream refusing to come to some interim compromise while
the real problem gets fixed (if it gets fixed, of course). I agree that
this is Not NetBSD's Problem, but I wonder how many people devise their
own insane “solutions” to this sort of thing and are put at risk by the
lack of an official workaround? I'm thinking particularly of less
experienced folk, here.

3072D/F3A66B3A Julian Yon (2012 General Use) <>

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index