Re: Proposal, again: Disable autoload of compat_xyz modules

To: Maxime Villard <max%m00nbsd.net@localhost>, Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: Proposal, again: Disable autoload of compat_xyz modules
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Thu, 26 Sep 2019 10:57:12 -0700

On Sep 26,  4:40pm, Maxime Villard wrote:
} Le 26/09/2019 Ã  16:36, Manuel Bouyer a Ã©critÂ :
} > On Thu, Sep 26, 2019 at 04:29:52PM +0200, Maxime Villard wrote:
} >> Le 26/09/2019 Ã  16:22, Mouse a Ã©critÂ :
} >>>>>> Keeping them enabled for the <1% users interested means keeping
} >>>>>> vulnerabilities for the >99% who don't use these features.
} >>>>> Are the usage numbers really that extreme?  Where'd you get them?  I
} >>>>> didn't think there were any mechanisms in place that would allow
} >>>>> tracking compat usage.
} >>>> No, there is no strict procedure to monitor compat usage, and there
} >>>> never will be.  Maybe it's not <1%, but rather 1.5%; or maybe it's
} >>>> 5%, 10%, 15%.
} >>>
} >>>> Who cares, exactly?
} >>>
} >>> The short answer is "anyone who wants NetBSD to be useful".
} >>>
} >>> If it really is only a tiny fraction - under ten people, say - then,
} >>> sure, yank it out.  If it's 90%, removing it would lose most of the
} >>> userbase, possibly provoke a fork.  15%, 40%, I don't think there is a
} >>> hard line between "pull it" and "keep it", and even if there were I'm
} >>> not sure it would matter because it appears nobody knows what the
} >>> actual use rate is anyway.
} >>
} >> What is known, however, is that 100% of the users are affected by the
} >> vulnerabilities. So, do we keep these things enabled by default just
} >> because "uh we don't know so we shouldn't do anything"? Even as it's
} >> already been clear that the majority doesn't use compat_linux?
} > 
} > Actually this is not clear. We have linux binaries in pkgsrc.
} 
} ... And? We have 22000 packages in pkgsrc.
} 
} >> Is it such a Herculean effort to type "modload compat_linux" for the
} >> people that want to use Linux binaries? In order to keep the majority
} >> safe from the bugs and vulnerabilities?
} > 
} > Maybe some of them don't even know they are using compat_linux ...
} 
} Yeah, and maybe I'm the Pope also, who knows.

     Now, you're just being obtuse.  Although it is within the
realm of possibility that you could be the pope operating under an
alias, the likelihood of that being the case is so small as to be
negligable.  The pope is an extremely well known entity who's every
action is closely monitored thus it would be extremely difficult
for the pope to live a clandestine life as a TNF developer.  Also,
the known background of the the pope does not include software
developement.  If we want to throw out absuridities, it is far more
likely that you're Julian Assange.

}-- End of excerpt from Maxime Villard

References:
- Re: Proposal, again: Disable autoload of compat_xyz modules
  - From: Maxime Villard

Prev by Date: Re: Proposal, again: Disable autoload of compat_xyz modules
Next by Date: Re: Proposal, again: Disable autoload of compat_xyz modules
Previous by Thread: Re: Proposal, again: Disable autoload of compat_xyz modules
Next by Thread: Re: Proposal, again: Disable autoload of compat_xyz modules
Indexes:

Home | Main Index | Thread Index | Old Index