Received: by 10.223.164.202 with SMTP id h10csp4425701wrb;
        Mon, 20 Nov 2017 15:30:28 -0800 (PST)
X-Google-Smtp-Source: AGs4zMa4Pj/OsVmLnimXeE0T9fHmQDVJK6v5U3KwGAXI3MEKxGxEWgcTiExSALZNMvbU9azSaESM
X-Received: by 10.84.168.5 with SMTP id e5mr15537098plb.150.1511220628710;
        Mon, 20 Nov 2017 15:30:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511220628; cv=none;
        d=google.com; s=arc-20160816;
        b=u7j0VJZqeRWTF40BhUbbkWFKIAn/DVjHbDbFDQw4Li/zO4aozhEnS1f5X0Td6aupu7
         jA3yCRKUqc/KixDQWDiu1FackchIS7zO2wXoVsJp+4v+W4bwIpkQvOgzVZCQBwmDzRyW
         l1jcy+h0QKuvCk6ow4nginWiMkKM/gg/AcxP/eVHU7/Ltt6w3jKPhCnS8az0fIPczxfH
         2FMnFswEU8LClLPOijkMnXuzUrWmFK/bB7e5RlQY/KDdfPB8A0t+hF9gqAGWj5J5dHDu
         oYtinBxZQSMb3Fa2zd1rk5Ut7HFNWurKIiLd0O9HZBiAtIAUnw4StRr0YnMAXsgbuo4x
         tuOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=vRiyAI8w/6wgFFzV7F5S1PtInnOD/a+Mv78UWUOZnrw=;
        b=sA+mMIGpx61Mb3cO55tWteMlX/NODdgW6lrEHf8DTPrN4sseb8ZWgB+TOTV83Xvcqq
         Qsu8q48KgDGvaBHq3nfpq3jGWqlG/xq6A46njN0QTrmMaFKdDz5lG4ykX4hzl7IGxU2W
         e8zIeDnzNf0E+FAWUlHjhKtMg8WwyzmSkLEeuSZ9HlsfPN2HYLdsTlAbECXI4PUh0/sn
         nAw6a2tdq4zOaGDlgD9XoQU68aAUHfj9RuImbKvnCVoNPUp4jaeS+Lg3PjoYayMF4SWR
         LO3BUwr0LmPEdRSWR2p7+d+esAgjOO03RPp0ltbCrtWfBWE17L58polYyM1kNqWq1v+6
         9+Jw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codon.org.uk header.s=63138784 header.b=p1aFrF9q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 102si9775011plb.676.2017.11.20.15.30.18;
        Mon, 20 Nov 2017 15:30:28 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codon.org.uk header.s=63138784 header.b=p1aFrF9q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751329AbdKTX3l (ORCPT <rfc822;chenhe.dev@gmail.com>
        + 69 others); Mon, 20 Nov 2017 18:29:41 -0500
Received: from cavan.codon.org.uk ([93.93.128.6]:59958 "EHLO
        cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751176AbdKTX3k (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 Nov 2017 18:29:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codon.org.uk; s=63138784;
        h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=vRiyAI8w/6wgFFzV7F5S1PtInnOD/a+Mv78UWUOZnrw=;
        b=p1aFrF9q2Y8zjnVUC79tNOJIO+d73iKPZja9KnVGpWDGPitRK11lIUXpCd5uvrALWWtzVmaRS65XrJMR8j/QHKQU+qnBps3zyTGHfkNfjrQ1LThz3tXUfwNIY3FmwySkRwRK7hUa3DlEqEeOiT8lppSSRdgBWKmRxrNqcI7Ybgc=;
Received: from mjg59 by cavan.codon.org.uk with local (Exim 4.84_2)
        (envelope-from <mjg59@cavan.codon.org.uk>)
        id 1eGvVR-00022M-NW; Mon, 20 Nov 2017 23:29:37 +0000
Date:   Mon, 20 Nov 2017 23:29:37 +0000
From:   Matthew Garrett <mjg59@srcf.ucam.org>
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     Kees Cook <keescook@chromium.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        David Windsor <dave@nullcore.net>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1
Message-ID: <20171120232937.GA6700@srcf.ucam.org>
References: <20171117165423.GA34980@beast>
 <CA+55aFy2nSv0-dH68DvemiF4RLvGpMcJ9WzKwmnXAvaJ+9QCmA@mail.gmail.com>
 <47222b54-cb13-2362-a525-714be2ba96de@redhat.com>
 <CAGXu5jL=aowLRbn1QQaSXuSvmJrKos0msSXCmU18kqTRjy2gPA@mail.gmail.com>
 <CA+55aFykjza0H5ytZH_aJKYs9tC84OLyVT30--cvo0mpAzpWaA@mail.gmail.com>
 <20171120195027.GA20045@srcf.ucam.org>
 <CA+55aFyMtpYASreqGuRmJoB8isJnhOxsWMa4uoQu6WtBJDHU6A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+55aFyMtpYASreqGuRmJoB8isJnhOxsWMa4uoQu6WtBJDHU6A@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: mjg59@cavan.codon.org.uk
X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Nov 20, 2017 at 12:47:10PM -1000, Linus Torvalds wrote:
> Sorry, on mobile right now, thus nasty HTML email..
> 
> On Nov 20, 2017 09:50, "Matthew Garrett" <mjg59@srcf.ucam.org> wrote:
> 
> 
>> Can you clarify a little with regard to how you'd have liked this
>> patchset to look?
> 
> 
> So I think the actual status of the patches is fairly good with the default
> warning.
> 
> But what I'd really like to see is to not have to worry so much about these
> hardening things. The last set of user access hardening really was more
> painful than it might have been.

Sure, and Kees learned from that experience and added the default 
fallback in response to it. Let's reward people for learning from past 
problems rather than screaming at them :)

>From a practical perspective this does feel like a completely reasonable 
request - when changing the semantics of kernel APIs in ways that aren't 
amenable to automated analysis, doing so in a way that generates 
warnings rather than triggering breakage is pretty clearly a preferable 
approach. But these features often start off seeming simple and then 
devolving into rounds of "ok just one more fix and we'll have 
everything" and by then it's easy to have lost track of the amount of 
complexity that's developed as a result. Formalising the Right Way of 
approaching these problems would possibly help avoid this kind of 
problem in future - I'll try to write something up for 
Documentation/process.

> And largely due to that I was really dreading pulling this one - and then
> with 20+ pulls a day because I really wanted to get everything big merged
> before travel, I basically ran out of time.
> 
> Part of that is probably also because the 4.15 merge window actually ended
> up bigger than I expected. I was perhaps naive, but I expected that because
> of 4.14 being LTS, this release would be smaller (like 4.9 vs 4.10) but
> that never happened.
> 
> So where I'd really like to be is simply that these pulls wouldn't be so
> nerve wracking for me. And that's largely me worrying about the approach
> people are taking, which is why I then reacted so strongly to the whole
> "warnings came later".
> 
> Sorry for the strong words.

This one seems unfortunate in that a lot of people interpreted it as 
"Kees submits bad code", and I think that does have an impact on 
people's enthusiasm for submitting more complex or controversial work. 
The number of people willing to work on security stuff is limited enough 
for various reasons, let's try to keep hold of the ones we have!

-- 
Matthew Garrett | mjg59@srcf.ucam.org

From 1584617100932476327@xxx Mon Nov 20 20:10:30 +0000 2017
X-GM-THRID: 1584347411647594379
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread