lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <933DF777-0CE9-4DFE-B7C7-AF095919E4F0@purple-cat.net>
Date:   Fri, 21 Jul 2023 13:28:25 +1200
From:   Mike Hosken <mike@...ple-cat.net>
To:     unlisted-recipients:; (no To-header on input)
Cc:     Matthew Wilcox <willy@...radead.org>,
        Jeffrey Walton <noloader@...il.com>,
        John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Viacheslav Dubeyko <slava@...eyko.com>,
        Arnd Bergmann <arnd@...db.de>,
        syzbot <syzbot+7bb7cd3595533513a9e7@...kaller.appspotmail.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        christian.brauner@...ntu.com,
        Damien Le Moal <damien.lemoal@...nsource.wdc.com>,
        Jeff Layton <jlayton@...nel.org>,
        Linux FS Devel <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com,
        ZhangPeng <zhangpeng362@...wei.com>,
        linux-m68k@...ts.linux-m68k.org,
        debian-ports <debian-ports@...ts.debian.org>,
        torvalds@...ux-foundation.org
Subject: Re: [syzbot] [hfs?] WARNING in hfs_write_inode

Removing support for a file system and dam the user base who happily and actively use the file system is never the right option. 

There are always a lot of users who use so called obsolete hardware and various software to support their needs every day. They don’t subscribe to mailing lists or are in no way active in the community and they depend on Linux continuing to support them. Changing the status quo for a particularly narrow attack surface should never be taken. 

Not having a maintainer is not ideal but the code has been very reliable and as the saying goes if it’s not broken ……..

If a serious problem did come up with this file system there are a number of developers that could do a fix and not be its full time maintainer. 

Calling for the removal is just nonsensical to me. 

Mike Hosken 
Sent via my iPhone 

> On 21/07/2023, at 11:12, Linus Torvalds <torvalds@...ux-foundation.org> wrote:
> 
> On Thu, 20 Jul 2023 at 15:37, Matthew Wilcox <willy@...radead.org> wrote:
>> 
>> I think you're missing the context.  There are bugs in how this filesystem
>> handles intentionally-corrupted filesystems.  That's being reported as
>> a critical bug because apparently some distributions automount HFS/HFS+
>> filesystems presented to them on a USB key.  Nobody is being paid to fix
>> these bugs.  Nobody is volunteering to fix these bugs out of the kindness
>> of their heart.  What choice do we have but to remove the filesystem,
>> regardless of how many happy users it has?
> 
> You're being silly.
> 
> We have tons of sane options. The obvious one is "just don't mount
> untrusted media".
> 
> Now, the kernel doesn't know which media is trusted or not, since the
> kernel doesn't actually see things like /etc/mtab and friends. So we
> in the kernel can't do that, but distros should have a very easy time
> just fixing their crazy models.
> 
> Saying that the kernel should remove a completely fine filesystem just
> because some crazy use-cases that nobody cares about are broken, now
> *that* just crazy.
> 
> Now, would it be good to have a maintainer for hgs? Obviously. But no,
> we don't remove filesystems just because they don't have maintainers.
> 
> And no, we have not suddenly started saying "users don't matter".
> 
>          Linus
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ