Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Tue, 21 Nov 2017 14:53:48 +0100
From:   Lukas Wunner <lukas@wunner.de>
To:     Kees Cook <keescook@chromium.org>
Cc:     Matthew Garrett <mjg59@srcf.ucam.org>,
        Linus Torvalds <torvalds@linuxfoundation.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        David Windsor <dave@progbits.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Alexandre Belloni <alexandre.belloni@free-electrons.com>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1
Message-ID: <20171121135348.GA18848@wunner.de>
References: <20171117165423.GA34980@beast>
 <CA+55aFy2nSv0-dH68DvemiF4RLvGpMcJ9WzKwmnXAvaJ+9QCmA@mail.gmail.com>
 <47222b54-cb13-2362-a525-714be2ba96de@redhat.com>
 <CAGXu5jL=aowLRbn1QQaSXuSvmJrKos0msSXCmU18kqTRjy2gPA@mail.gmail.com>
 <CA+55aFykjza0H5ytZH_aJKYs9tC84OLyVT30--cvo0mpAzpWaA@mail.gmail.com>
 <20171120195027.GA20045@srcf.ucam.org>
 <CA+55aFyMtpYASreqGuRmJoB8isJnhOxsWMa4uoQu6WtBJDHU6A@mail.gmail.com>
 <20171120232937.GA6700@srcf.ucam.org>
 <CAGXu5jJken1qWxayxUFs59kBgDzSkkdUZm8BEkcVAof7mJHMbA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jJken1qWxayxUFs59kBgDzSkkdUZm8BEkcVAof7mJHMbA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Mon, Nov 20, 2017 at 04:42:46PM -0800, Kees Cook wrote:
> I'm always trying to balance the requests from both ends of the
> security defense spectrum. One of the most common requests I get from
> people who are strongly interested in the defenses is "can this please
> be enabled by default?" And then I have to explain that it sometimes
> takes time for code to shake out, and it sometimes takes time for
> developers to trust it, etc. This is rarely a comfort to them, but
> they tend to be glad they can turn some config knob to enable the
> "strongest" version, etc, because for them, a false positive is no big
> deal. At the other end is the requirement that new stuff should not
> break the system. Both are reasonable perspectives, but if we violate
> the latter, the defense will never end up in the kernel in the first
> place.

I think Linus' objections must be seen in a broader context,
the last months we've seen a large influx of semi-automatically
generated hardening patches (constification mostly);  The volume
of these was at times overwhelming, in some cases they were dropped
on the mailing lists in a fire-and-forget fashion and there are
multiple documented cases where these patches broke things and the
community was left to repair the fallout.

When LWN published the 4.14 patch statistics (which some contributors
seem to mistake for a high score), Alexandre Belloni (+cc) rightfully
raised a complaint and included links to some of the broken patches:

https://lwn.net/Articles/736578/#CommAnchor737081

There is a growing sense that hardening patches (which are generally
desirable of course) are forced into the kernel without due diligence.
Objections against tone notwithstanding, making that concern known in
a form with greater visibility than an LWN comment was appropriate by
Linus.

It is most unfortunate that these concerns happened to be adressed to
you personally and stalled your patches (the quality of which I cannot
judge), even though they must (in my opinion) be interpreted in the
context of this larger issue.

It is likewise most unfortunate that this allowed bloggers, journalists
and HN know-it-alls with zero commits in the kernel and zero participation
on the mailing lists to focus on tone and whatnot, but completely
ignore what this is really about.

Thanks,

Lukas

From 1584683832027794797@xxx Tue Nov 21 13:51:10 +0000 2017
X-GM-THRID: 1584347411647594379
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread