lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 5 May 2021 19:21:03 +0200
From:   Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
To:     "Theodore Ts'o" <tytso@....edu>
Cc:     Adrian Bunk <bunk@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Tom Stellard <tstellar@...hat.com>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        clang-built-linux <clang-built-linux@...glegroups.com>,
        Fangrui Song <maskray@...gle.com>,
        Serge Guelton <sguelton@...hat.com>,
        Sylvestre Ledru <sylvestre@...illa.com>
Subject: Re: Very slow clang kernel config ..

On Wed, May 5, 2021 at 2:58 AM Theodore Ts'o <tytso@....edu> wrote:
>
> What does this mean for enterprise distributions, like RHEL, which
> need to maintain a stable kernel ABI as part of their business model.
> I assume it means that they will need to lock down on a specific Rust
> compiler and Rust libraries?  How painful will it be for them to get
> security updates (or have to do backports of security bug fixes) for
> 7-10 years?

That is a good question. If a security fix requires changes in some
generic that an out-of-tree module uses, customers will need to
rebuild their module if they want that fix. So companies providing
those modules will need to understand that disadvantage if they decide
to write an out-of-tree module in Rust. And to support out-of-tree
modules, distributions will need to provide the generics metadata like
they provide headers etc.

As for freezing the compiler, some distributions already support the
Rust compiler in LTS releases etc. But now that the Rust Foundation
exists and gets sponsor money from big corporations, companies and
distributions may be able to ask for "LTS" releases of the Rust
compiler, or ask for sharing some of the burden of backporting
security fixes etc.

Cheers,
Miguel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ