Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1791216ybl; Sun, 18 Aug 2019 10:30:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqyRwEXGcixPI2zrZ9ZLZjZ77eW3pKsr1zbk9asHaHVHYvhwNvaRpD/9RUrRJtZnWYKcMaM1 X-Received: by 2002:aa7:96b3:: with SMTP id g19mr19800540pfk.26.1566149459536; Sun, 18 Aug 2019 10:30:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566149459; cv=none; d=google.com; s=arc-20160816; b=y1p2FijqtIJF9unZq1yT9E5fXftLPwR8rhsyTlEj3PwQ3OHjOBFGdCFtnJXmpDyW2m +uRUT7aKPCUtEwK9CbXCL1Q0AjrOzsEkU+dpIM9XS4BYNK9HC5OvaGIcfns2hy0eFTjs witshz6QYaCRBWX8sFKWhf3satvs0QaAc1A5xS3GtOGcZmG6u2W0yWYvFbom2F4tMhw7 racSvMJB8Sri9rz/AfbPbdkb81mJjifcIB1m5eMwtZoH0q8zvWi78pAGZmaEF+Zv/wbO eRl18vy9lOPNqGKdDnjEuv+SQLK7KG369Lcx8N0q1w9HTH8EcCuTwxwI5+fj1b4/s2tI cU3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=tSJG9fySE8yVifeO5g7z8kPrnIz4yGXPchNN9oUy+js=; b=XiSKcC4mLpQoqFSA4ansLQbMWWEDLHV/Poi+rjbQz0v2kpibMUXOew754Qx8tmqKsC ukfXA15b2qi68/jqJb1C3VwyvBz+x8OINLalF+0+5hJpkl2qgFVJwpMZCj477siKxtZ2 9xiGwct9XKGIKcCRTUdv44YBB0xhK9GEWYd6U/VPz3T8/EU5hvdIvz+4903LLoYSaARU KntfKONGjO56NaYln/+UuSnXioL2IfkS6IGHqGD4GKynTr4oP50unXoiwGNl0pv0L1An ZLZBb73eGno9j4aUajN69QfzfUaBqSrIv+uk7CfJNc7R1KLAESZdXrciObtMB0fR/waf pgJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="FekiGl/L"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v24si8179802plo.244.2019.08.18.10.30.45; Sun, 18 Aug 2019 10:30:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="FekiGl/L"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726927AbfHRR3m (ORCPT + 99 others); Sun, 18 Aug 2019 13:29:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:40250 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725786AbfHRR3m (ORCPT ); Sun, 18 Aug 2019 13:29:42 -0400 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 480E22146E; Sun, 18 Aug 2019 17:29:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566149381; bh=PgJleJMkSwlg249xRQ3F/CLBlnJ55j1fqyWspV/sxSo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FekiGl/L6shXdxivYe+rkyONVdHXfQ6Afmbfr/fNBY+CHkNu25IEPWPt56UlqUHno bFpMcqrtl7K2u7xAZD9UH+7fT8gKqlVaSimOuXQXrY2NSWuSlGZnV8E0f/h03HFPB1 o0+oYsbdFDrx6uD30QvqnfFZ6AXv0QVAO+i0O/fc= Date: Sun, 18 Aug 2019 10:29:38 -0700 From: Eric Biggers To: Christoph Hellwig Cc: "Theodore Y. Ts'o" , Richard Weinberger , Greg Kroah-Hartman , Gao Xiang , Jan Kara , Chao Yu , Dave Chinner , David Sterba , Miao Xie , devel , Stephen Rothwell , Darrick , Amir Goldstein , linux-erofs , Al Viro , Jaegeuk Kim , linux-kernel , Li Guifu , Fang Wei , Pavel Machek , linux-fsdevel , Andrew Morton , torvalds Subject: Re: [PATCH] erofs: move erofs out of staging Message-ID: <20190818172938.GA14413@sol.localdomain> Mail-Followup-To: Christoph Hellwig , "Theodore Y. Ts'o" , Richard Weinberger , Greg Kroah-Hartman , Gao Xiang , Jan Kara , Chao Yu , Dave Chinner , David Sterba , Miao Xie , devel , Stephen Rothwell , Darrick , Amir Goldstein , linux-erofs , Al Viro , Jaegeuk Kim , linux-kernel , Li Guifu , Fang Wei , Pavel Machek , linux-fsdevel , Andrew Morton , torvalds References: <20190817233843.GA16991@hsiangkao-HP-ZHAN-66-Pro-G1> <1405781266.69008.1566116210649.JavaMail.zimbra@nod.at> <20190818084521.GA17909@hsiangkao-HP-ZHAN-66-Pro-G1> <1133002215.69049.1566119033047.JavaMail.zimbra@nod.at> <20190818090949.GA30276@kroah.com> <790210571.69061.1566120073465.JavaMail.zimbra@nod.at> <20190818151154.GA32157@mit.edu> <20190818155812.GB13230@infradead.org> <20190818161638.GE1118@sol.localdomain> <20190818162201.GA16269@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190818162201.GA16269@infradead.org> User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 18, 2019 at 09:22:01AM -0700, Christoph Hellwig wrote: > On Sun, Aug 18, 2019 at 09:16:38AM -0700, Eric Biggers wrote: > > Ted's observation was about maliciously-crafted filesystems, though, so > > integrity-only features such as metadata checksums are irrelevant. Also the > > filesystem version is irrelevant; anything accepted by the kernel code (even if > > I think allowing users to mount file systems (any of ours) without > privilege is a rather bad idea. But that doesn't mean we should not be > as robust as we can. Optionally disabling support for legacy formats > at compile and/or runtime is something we should actively look into as > well. > > > it's legacy/deprecated) is open attack surface. > > > > I personally consider it *mandatory* that we deal with this stuff. But I can > > understand that we don't do a good job at it, so we shouldn't hold a new > > filesystem to an unfairly high standard relative to other filesystems... > > I very much disagree. We can't really force anyone to fix up old file > systems. But we can very much hold new ones to (slightly) higher > standards. Thats the only way to get the average quality up. Some as > for things like code style - we can't magically fix up all old stuff, > but we can and usually do hold new code to higher standards. (Often not > to standards as high as I'd personally prefer, btw). Not sure what you're even disagreeing with, as I *do* expect new filesystems to be held to a high standard, and to be written with the assumption that the on-disk data may be corrupted or malicious. We just can't expect the bar to be so high (e.g. no bugs) that it's never been attained by *any* filesystem even after years/decades of active development. If the developers were careful, the code generally looks robust, and they are willing to address such bugs as they are found, realistically that's as good as we can expect to get... - Eric