Re: Proposal: Disable autoload of compat_xyz modules

To: tech-kern%NetBSD.org@localhost
Subject: Re: Proposal: Disable autoload of compat_xyz modules
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Thu, 3 Aug 2017 10:07:21 +0200

Le 02/08/2017 à 23:08, Joerg Sonnenberger a écrit :

On Wed, Aug 02, 2017 at 08:52:15PM +0200, Maxime Villard wrote:

I disagree. The cost of doing a modload is low enough compared to the
configuration needed to use compat_linux. Just like the command you quoted.


If I wanted OpenBSD, I know were to get it. There is a balance between
pissing off people and providing security.


In your opinion, what is pissing people off the most: having to do a modload,
or being automatically vulnerable because some guys want to be able to do
"make install opera etc" without typing one more command?

Strange understanding of pissing off people.

If you want to minimize the
attack surface at all cost of *your* system, you are free to do so.


Forgive me for feeling a little sorry for the users that are regularly affected
by vulnerabilities in compat_linux*.

Otherwise it has to be balanced.


Certainly. It does not seem to me that moving compat_linux* into modules is in
any way illegitimate or unbalanced. That's the opinion I was stating.

So far modules have primarily created
problems for a lot of people without any gain.


And so have compat_linux and compat_linux32.

Disabling rarely used
code is one thing, disabling commonly used code is something else. Stop
pushing for "security" as a single goal above else. It doesn't make you
more credible, it just makes people shot down sensible proposal as knee
jerk reaction because they are waiting for the insane follow-up.


Getting credibility and recognition from someone like you, Joerg, is not
something I particularly care about. We're not in the jungle, we're here to
talk; people are giving their opinion, I'm giving mine. I fixed 11 of the 11
vulnerabilities that affected our compat options these last ten years, so I do
have my word to say when it comes to security and compatibility, just like
everyone else.

If you want to be among people that cannot talk, you know where to go, and
this place is called openbsd-tech.

Maxime

Follow-Ups:
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: John Nemeth
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Joerg Sonnenberger
- re: Proposal: Disable autoload of compat_xyz modules
  - From: matthew green

References:
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Taylor R Campbell
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Maxime Villard
- Re: Proposal: Disable autoload of compat_xyz modules
  - From: Joerg Sonnenberger

Prev by Date: Re: Proposal: Disable autoload of compat_xyz modules
Next by Date: re: Proposal: Disable autoload of compat_xyz modules
Previous by Thread: Re: Proposal: Disable autoload of compat_xyz modules
Next by Thread: re: Proposal: Disable autoload of compat_xyz modules
Indexes:

Home | Main Index | Thread Index | Old Index