> i'm all for security features, but they can't break other things in
   > the process.  why is it a regression to not enable a security feature
   > for an emulation until it's verified _not to break it_?
   
   Some people might prefer to have the emulation break, rather than the
   security break. I would generally prefer that, since it's obvious
   breakage, rather than subtle breakage.


then they should turn the emulation off.  i think you've missed my
point.  currently, we have a regression - programs that used to run
fine no longer run.  chuq's proposal would fix that.  since when has
it been acceptable to break significant functionality in the name
of security?  also, it's maybe "obvious breakage" now to people who
are familiar with it - it wasn't for the N people who had this issue
before it became well known, nor will it be for users.

we ship GENERIC will all working emulations enabled - our default
install shouldn't break that should it?


i agree with thor that config and/or the kernel should warn about
this but surely everyone can agree that the default should be for
"programs to continue to work"?


(a knob to disable it for all emulations would be fine, but don't
all the security people build their own kernels anyway? :-)


.mrg.