public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Lukas Wunner <lukas@wunner.de>
To: Kees Cook <keescook@chromium.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>,
	Linus Torvalds <torvalds@linuxfoundation.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	David Windsor <dave@progbits.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Alexandre Belloni <alexandre.belloni@free-electrons.com>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1
Date: Tue, 21 Nov 2017 14:53:48 +0100	[thread overview]
Message-ID: <20171121135348.GA18848@wunner.de> (raw)
In-Reply-To: <CAGXu5jJken1qWxayxUFs59kBgDzSkkdUZm8BEkcVAof7mJHMbA@mail.gmail.com>

On Mon, Nov 20, 2017 at 04:42:46PM -0800, Kees Cook wrote:
> I'm always trying to balance the requests from both ends of the
> security defense spectrum. One of the most common requests I get from
> people who are strongly interested in the defenses is "can this please
> be enabled by default?" And then I have to explain that it sometimes
> takes time for code to shake out, and it sometimes takes time for
> developers to trust it, etc. This is rarely a comfort to them, but
> they tend to be glad they can turn some config knob to enable the
> "strongest" version, etc, because for them, a false positive is no big
> deal. At the other end is the requirement that new stuff should not
> break the system. Both are reasonable perspectives, but if we violate
> the latter, the defense will never end up in the kernel in the first
> place.

I think Linus' objections must be seen in a broader context,
the last months we've seen a large influx of semi-automatically
generated hardening patches (constification mostly);  The volume
of these was at times overwhelming, in some cases they were dropped
on the mailing lists in a fire-and-forget fashion and there are
multiple documented cases where these patches broke things and the
community was left to repair the fallout.

When LWN published the 4.14 patch statistics (which some contributors
seem to mistake for a high score), Alexandre Belloni (+cc) rightfully
raised a complaint and included links to some of the broken patches:

https://lwn.net/Articles/736578/#CommAnchor737081

There is a growing sense that hardening patches (which are generally
desirable of course) are forced into the kernel without due diligence.
Objections against tone notwithstanding, making that concern known in
a form with greater visibility than an LWN comment was appropriate by
Linus.

It is most unfortunate that these concerns happened to be adressed to
you personally and stalled your patches (the quality of which I cannot
judge), even though they must (in my opinion) be interpreted in the
context of this larger issue.

It is likewise most unfortunate that this allowed bloggers, journalists
and HN know-it-alls with zero commits in the kernel and zero participation
on the mailing lists to focus on tone and whatnot, but completely
ignore what this is really about.

Thanks,

Lukas

  reply	other threads:[~2017-11-21 13:53 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-17 16:54 [GIT PULL] usercopy whitelisting for v4.15-rc1 Kees Cook
2017-11-17 17:35 ` Linus Torvalds
2017-11-17 17:45   ` Paolo Bonzini
2017-11-17 20:35     ` Kees Cook
2017-11-17 21:13       ` Linus Torvalds
2017-11-17 22:19         ` Kees Cook
2017-11-20 19:50         ` Matthew Garrett
     [not found]           ` <CA+55aFyMtpYASreqGuRmJoB8isJnhOxsWMa4uoQu6WtBJDHU6A@mail.gmail.com>
2017-11-20 23:29             ` Matthew Garrett
2017-11-21  0:42               ` Kees Cook
2017-11-21 13:53                 ` Lukas Wunner [this message]
2017-11-21 17:22                   ` Randy Dunlap
2017-11-21 14:34           ` Linus Torvalds
2017-11-21 13:48         ` Jason A. Donenfeld
2017-11-21 15:25           ` Linus Torvalds
  -- strict thread matches above, loose matches on Subject: below --
2017-11-13  7:29 Kees Cook
2017-11-16  7:45 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171121135348.GA18848@wunner.de \
    --to=lukas@wunner.de \
    --cc=alexandre.belloni@free-electrons.com \
    --cc=dave@progbits.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mjg59@srcf.ucam.org \
    --cc=pbonzini@redhat.com \
    --cc=torvalds@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox