| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 17 Oct 2010 07:40:08 +0200 From: Ingo Molnar <mingo@...e.hu> To: Christoph Hellwig <hch@...radead.org> Cc: "H. Peter Anvin" <hpa@...or.com>, kernel@...ts.fedoraproject.org, Mimi Zohar <zohar@...ibm.com>, warthog9@...nel.org, Dave Chinner <david@...morbit.com>, linux-kernel@...r.kernel.org, Serge Hallyn <serue@...ibm.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org>, James Morris <jmorris@...ei.org>, Kyle McMartin <kyle@...artin.ca> Subject: Re: ima: use of radix tree cache indexing == massive waste of memory? * Christoph Hellwig <hch@...radead.org> wrote: > On Sat, Oct 16, 2010 at 02:10:29PM -0700, H. Peter Anvin wrote: > > > "Christoph Hellwig" <hch@...radead.org> wrote: > > > > > Besides the algorithmic problems with ima, why is kernel.org using > > > IMA to start with? Except for IBM looking for a reason to jusity > > > why TPM isn't a completely waster of ressources it's pointless. > > > And it was only merged under the premise that it would not affect > > > innocent normal users. > > > > I'm confused ... what makes you think we are? This might have been > > an unintentional misconfiguration... > > I didn't mean to imply you enabled it intentionally. In fact it looks > like the inode tracking in IMA is always on once it's compiled in, > which totally defeats the purpose of doing it's on iternal inode > tracking instead of bloating the inode what they originally proposed. > IMA really needs a kernel parameter to only enabled this crap when > people actually use it. That is true. > And whoever turned it on in Fedora needs some serious wahcking. And that is false. This security feature was merged upstream last year, it's not in drivers/staging/ and the Kconfig help text does not contain any warning that this is 'crap', so how were the Fedora people supposed to know? If you are suggesting that distribution kernel maintainers should not trust upstream kernel feature decisions and are expected to do a line by line review of the ~40,000 commits that go upstream every year, to make sure there's no hidden 'crap' in them (and failing that be labeled incompetent idiots), then you are out of your mind. It's just not possible to do that nor is it reasonable or efficient: crap should be caught via hierarchical filtering: when the developer posts the first patches to lkml, or when it merged into a maintainer tree, or when it goes upstream or when it is upstream and then, as the very last (and most expensive) line of defense, it will be caught when it gets exposure in distributions. Which seems to be precisely what happened here. Fact is that Kyle did Linux a _favor_ by enabling the feature in Fedora, as it allowed the bug/inefficiency/crap to be found by Dave. Linux got richer as a result as we learned about a bug that affects many people. Your gratuitous insults against him are highly misguided. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists