lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 5 May 2008 10:07:03 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Rusty Russell <rusty@...tcorp.com.au>
cc:	linux-kernel@...r.kernel.org,
	Jon Masters <jonathan@...masters.org>,
	Sam Ravnborg <sam@...nborg.org>
Subject: Re: changeset: Make forced module loading optional



On Mon, 5 May 2008, Rusty Russell wrote:
> 
> BTW, for the peanut gallery: I don't recommend modversions: it's not reliable
> in detecting all differences, nor being stable when there are no real
> differences.

Umm. modversions is in general a whole lot *more* reliable than just 
looking at the kernel version.

The kernel version is pretty good if you use CONFIG_LOCALVERSION_AUTO and 
have a git kernel tree, but if not, then modversions is much more likely 
to stop modules across big infrastructure changes during (say) the merge 
window.

So I agree that modversions is not "reliable", but I think that the 
alternative is often even *less* reliable, so I find the "don't recommend 
modversions" comment to be pretty debatable.

Since I personally try to avoid modules, and if I do use them I'd prefer 
the checking to be as strict as possible, I'd really not mind a "strict"  
mode that tests both MODVERSIONS _and_ the full kernel version string. 
Along with not allowing forced module loads, of course.

I also find it sad that apparently I'm one of the few ones that test with 
modules turned off. It's both more secure and simpler, but it does cause 
lots of noise at least during a Fedora boot, and it occasionally breaks 
the /etc/rc.d scripts because they assume that they have to load modules, 
and that it's an error if that fails. We had that happen with the iptables 
scripts not that long ago (and note how that was unrelated to initrd: this 
is past the point when things have switched to the normal root 
filesystem).

IOW, I wish distros did some testing with non-modular kernels too. Oh 
well. At least I can generally fix the problems, and make error reports, 
but I bet it means that most other kernel users simply turn on modules 
whether they need them or not.

			Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ