On Mon, 06 Jun 2016, Martin Kühne <mysat...@gmail.com> wrote: > Also, the way it is designed is a rather silly approach to security > which is much more revealing about today's idiotic way of writing > software by including tens of millions of SLOC of dependencies instead > of doing the one thing for the one job.
Design is mostly a matter of taste, but seems like you got everything backwards: - Run sloccount on OpenBSD source (the entire system) and compare with the Linux kernel alone. You'll find the difference is in orders of magnitude in OpenBSD's favor. - Pledge does exactly one thing, and the implementation is simple, clear and straightforward. (Go read the source! Now!) I would say for some people it's perhaps too simple, as it may correctly handle 99% of the real-world use cases, but it doesn't allow any extra flexibility when needed. But yes, for me that's also a feature, and a mark of good design. > Doesn't the loader also have a say in what addresses are known to a > process? Pledge only deals with syscalls, so yes, the loader in the kernel knows exactly which ones are available to the process, and denies them, per request. Yes, it can be implemented as a filesystem flag, but it would be much less effective. > I personally find the idea of polluting our source code for this > appalling and suggest the wiki. I understand the sentiment of not wanting OS-specific functionality in an otherwise very portable piece of software, but since you're so outspoken about it, I'm very curious about which real-world alternatives would you recommend. <3,K.