tech-security: Re: CVS commit: src/sys

Subject: Re: CVS commit: src/sys
To: Elad Efrat <e@murder.org>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-security
Date: 06/23/2007 18:37:20
On Sat, Jun 23, 2007 at 06:23:44PM +0300, Elad Efrat wrote:
> I don't understand how kauth not being maintained means it's okay to
> expose its internals.

If kauth is not being maintained, why are you bothering to copy the
world and its dog on your email?

I know it's much easier to stand on the sidelines and shout whenever
anyone touches a file with the letters "kauth" anywhere in its name,
but it's not getting you or the project any further along the road.

If you care about kauth, agree to the same rules that every other
developer does, and maintain it. If you don't, it will bitrot, and
will have to be thrown out. And, as I said, that would be a pity.

> question to you, al, as a core member and tnf president: will it be
> as easy as it was to implement various security models on top of kauth
> now that its internals have been exposed?

As a software developer, my answer to your question would be "no - if
the complete abstraction has been violated, then it will be harder to
build models on top of kauth". Has the complete abstraction been violated,
or just a part of it? Where is the documentation dealing with the
abstractions, the ways it fits into other kernel code, and the direction
forward for kauth?

As President of TNF and a member of the core team, I would ask that
you consider that it might be more fun for you if you were a part of
the project.  You can't change anything if you're not part of it - the
best that you could hope for is to stand around on the sidelines and
say "I wouldn't have done it like that."
 
> does "compat code with one less malloc" weighs more than "opaque and
> abstract interface allowing various pluggable secmodels"?
> 
> to users: the commit in question means that the internals of kauth have
> been exposed, severely limiting the flexibility of the interface. if it
> was possible to say "kauth allows different secmodels to be implemented
> and used in netbsd", after the commit it means "back to stone age".

You shouldn't say things like that - it just gives ammunition to the
people who are nervous about kauth, who are concerned by its lack of
documentation, the fact that there is no one maintaining it, or,
worse, driving it, and who want to replace it with (a clone of)
Apple's kauth, which has had many more eyes on it.

Regards,
Alistair