Re: Proposal: Disable autoload of compat_xyz modules

To: Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>, maya%netbsd.org@localhost
Subject: Re: Proposal: Disable autoload of compat_xyz modules
From: Kamil Rytarowski <n54%gmx.com@localhost>
Date: Wed, 2 Aug 2017 21:17:05 +0200

On 02.08.2017 20:02, Taylor R Campbell wrote:
>> Date: Wed, 2 Aug 2017 16:11:16 +0000
>> From: maya%netbsd.org@localhost
>>
>> I can 'cd pkgsrc/www/opera; make install; opera' and get a closed source
>> browser that works as is, without even realizing it relies on
>> COMPAT_LINUX to work.
> 
> % cd www/opera && bmake package
> ERROR: This package has set PKG_FAIL_REASON:
> ERROR: opera-12.16 has an unacceptable license condition:
> ERROR:     opera-1200-license
> ERROR: You can mark the license ``opera-1200-license'' as acceptable by adding
> ERROR:     ACCEPTABLE_LICENSES+= opera-1200-license
> ERROR: to /home/riastradh/pkgsrc/current/pkg/etc/mk.conf or by adding
> ERROR:     ACCEPTABLE_LICENSES= opera-1200-license
> ERROR: to /home/riastradh/pkgsrc/current/pkg/etc/pkg_install.conf.
> ERROR: The following command will show you the license text:
> ERROR:     /home/riastradh/pkgsrc/current/pkg/bin/bmake show-license
> 
>> Unless some miracle happens, NetBSD will remain an esoteric operating
>> system, and we won't have many closed source programs if any. A fairly
>> small amount of code gives us access to a large number of programs that
>> we would otherwise not have access to.
> 
> I'm not proposing removing the code.  Just having a knob to turn it on
> before you're exposed to its attack surface.
> 
> But it sounds like there are a number of people who want compat_linux
> to remain enabled, and of the compat modules I expect it is the best-
> maintained, so I will withdraw the proposal to disable it by default.
> However, we still need some way to automatically test it so that
> developers other than manu@ can apply security fixes without blindly
> breaking things.
> 

I think we can go into a different direction. Instead of disabling the
code - we could turn all compat_ into dynamically loadable modules. I
would profit from it for functional out-of-the-box compat for older
NetBSD releases (a.out executables).

For security purposes people can raise securelevel and prevent any
modules from insertion into the kernel.

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Paul Goyette
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Joerg Sonnenberger

References:
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Taylor R Campbell

Prev by Date: Re: Proposal: Disable autoload of compat_xyz modules
Next by Date: Re: Proposal: Disable autoload of compat_xyz modules
Previous by Thread: Re: Proposal: Disable autoload of compat_xyz modules
Next by Thread: Re: Proposal: Disable autoload of compat_xyz modules
Indexes:

Home | Main Index | Thread Index | Old Index