Re: Proposal: Disable autoload of compat_xyz modules

To: Maxime Villard <max%m00nbsd.net@localhost>, tech-kern%NetBSD.org@localhost
Subject: Re: Proposal: Disable autoload of compat_xyz modules
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Thu, 3 Aug 2017 13:08:01 -0700

On Aug 3, 10:07am, Maxime Villard wrote:
} Le 02/08/2017 Ã  23:08, Joerg Sonnenberger a Ã©crit :
} > On Wed, Aug 02, 2017 at 08:52:15PM +0200, Maxime Villard wrote:
} >> I disagree. The cost of doing a modload is low enough compared to the
} >> configuration needed to use compat_linux. Just like the command you quoted.
} > 
} > If I wanted OpenBSD, I know were to get it. There is a balance between
} > pissing off people and providing security.
} 
} In your opinion, what is pissing people off the most: having to do a modload,
} or being automatically vulnerable because some guys want to be able to do
} "make install opera etc" without typing one more command?

     What is pissing off people the most is one random developer,
who is not even a portmaster or member of core, making major
decisions about the project on their own accord, and basically
behaving like a petty little dictator.  Even if it is the correct
thing to do, which is debatable, it is not a decision that should
be made by a single random developer.  This is NetBSD, not MaxBSD.

} Strange understanding of pissing off people.
} 
} > If you want to minimize the
} > attack surface at all cost of *your* system, you are free to do so.
} 
} Forgive me for feeling a little sorry for the users that are
} regularly affected by vulnerabilities in compat_linux*.

     Who are these users?  Where are the complaints?

} > Otherwise it has to be balanced.
} 
} Certainly. It does not seem to me that moving compat_linux* into modules is in
} any way illegitimate or unbalanced. That's the opinion I was stating.

     YOU were not talking about turning them into modules.  YOU
were talking about deleting them.  I noted that you already deleted
the i386 version and I can't find any public discussion about that.

} > So far modules have primarily created
} > problems for a lot of people without any gain.
} 
} And so have compat_linux and compat_linux32.

     Huh?!?

} > Disabling rarely used
} > code is one thing, disabling commonly used code is something else. Stop
} > pushing for "security" as a single goal above else. It doesn't make you
} > more credible, it just makes people shot down sensible proposal as knee
} > jerk reaction because they are waiting for the insane follow-up.
} 
} Getting credibility and recognition from someone like you, Joerg, is not
} something I particularly care about. We're not in the jungle, we're here to
} talk; people are giving their opinion, I'm giving mine. I fixed 11 of the 11

     YOU are giving a lot more then just opinion.  YOU are threatening
to single handedly take action if you don't get the response you want.

} vulnerabilities that affected our compat options these last ten years, so I do
} have my word to say when it comes to security and compatibility, just like
} everyone else.

     "Say" is one thing, action is another thing entirely.

}-- End of excerpt from Maxime Villard

References:
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Maxime Villard

Prev by Date: Re: MP-safe IPsec SPD
Next by Date: Re: Proposal: Disable autoload of compat_xyz modules
Previous by Thread: Re: Proposal: Disable autoload of compat_xyz modules
Next by Thread: Re: Proposal: Disable autoload of compat_xyz modules
Indexes:

Home | Main Index | Thread Index | Old Index