Re: Proposal, again: Disable autoload of compat_xyz modules

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Thu, Sep 26, 2019 at 04:29:52PM +0200, Maxime Villard wrote:
> Le 26/09/2019 à 16:22, Mouse a écrit :
> > > > > Keeping them enabled for the <1% users interested means keeping
> > > > > vulnerabilities for the >99% who don't use these features.
> > > > Are the usage numbers really that extreme?  Where'd you get them?  I
> > > > didn't think there were any mechanisms in place that would allow
> > > > tracking compat usage.
> > > No, there is no strict procedure to monitor compat usage, and there
> > > never will be.  Maybe it's not <1%, but rather 1.5%; or maybe it's
> > > 5%, 10%, 15%.
> > 
> > > Who cares, exactly?
> > 
> > The short answer is "anyone who wants NetBSD to be useful".
> > 
> > If it really is only a tiny fraction - under ten people, say - then,
> > sure, yank it out.  If it's 90%, removing it would lose most of the
> > userbase, possibly provoke a fork.  15%, 40%, I don't think there is a
> > hard line between "pull it" and "keep it", and even if there were I'm
> > not sure it would matter because it appears nobody knows what the
> > actual use rate is anyway.
> 
> What is known, however, is that 100% of the users are affected by the
> vulnerabilities. So, do we keep these things enabled by default just
> because "uh we don't know so we shouldn't do anything"? Even as it's
> already been clear that the majority doesn't use compat_linux?

Actually this is not clear. We have linux binaries in pkgsrc.

> Is it such a Herculean effort to type "modload compat_linux" for the
> people that want to use Linux binaries? In order to keep the majority
> safe from the bugs and vulnerabilities?

Maybe some of them don't even know they are using compat_linux ...

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--