| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Feb 2018 18:32:56 +0100
From: Harald Welte <laforge@...monks.org>
To: David Miller <davem@...emloft.net>
Cc: fw@...len.de, daniel@...earbox.net, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, alexei.starovoitov@...il.com
Subject: Re: [PATCH RFC 0/4] net: add bpfilter
Hi David,
On Mon, Feb 19, 2018 at 10:31:39AM -0500, David Miller wrote:
> > Why is it practical to replace your kernel but not practical to replace
> > a small userspace tool running on top of it?
>
> The container is just userspace components. Those are really baked in
> and are never changing.
never until you have to apply a bug fix for any of the many components you bake
into it. I am doing this on an (at least) weekly basis for my Docker containers.
That's no different from a classic Linux distribution where you update your apt/rpm
packages all the time.
A container that is static and cannot continuously updated with new versions
for security (and other) fixes is broken by design. If some people are doing
this, they IMHO have no sense of IT security, and such usage pattersn are not
what kernel development should cite as primary use case (again IMHO).
> This is how cloud hosting environments work.
Yes, *one* particular use case. By far not every use case of Linux, or
Linux packet filtering.
--
- Harald Welte <laforge@...monks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Powered by blists - more mailing lists