On 07/20/2016 12:13 PM, NP-Hardass wrote: > This is the first draft of a news item describing a packaging change for > OpenAFS so that we no longer require the DEBUG_RODATA be turned off. > Given the security implications of the previous setting of having > CONFIG_DEBUG_RODATA=n, we thought it prudent to ensure that OpenAFS > users get notice of the change in a manner that they are not likely to > miss (unlike a message in a phase that can be missed/hidden/squelched). > > > Title: OpenAFS no longer needs kernel option DEBUG_RODATA > Author: NP-Hardass <np-hard...@gentoo.org> > Author: Andrew Savchenko <birc...@gentoo.org> > Content-Type: text/plain > Posted: 2016-07-23 > Revision: 1 > News-Item-Format: 1.0 > Display-If-Installed: <=net-fs/openafs-kernel-1.6.18.2 > Display-If-Keyword: amd64 > Display-If-Keyword: ~amd64-linux > Display-If-Keyword: ~sparc > Display-If-Keyword: x86 > Display-If-Keyword: ~x86-linux > > As a result of bug #127084 [1], it was determined that OpenAFS's kernel > module required that the kernel's data structures be read-write > (CONFIG_DEBUG_RODATA=n). Upon reviewing the latest version of OpenAFS > with Linux kernels 3.4-4.4, it has been determined that this condition > is no longer necessary to ensure that OpenAFS builds and loads into the > kernel.
The second sentence reads awkwardly to me. Was this recent discovery a result of OpenAFS changes, or from a re-audit of the source? If it's the former, I'd use something like: As of openafs-1.6.18.2, it is no longer necessary to disable CONFIG_DEBUG_RODATA for the OpenAFS module to build and be loaded by the kernel. If the ebuild doesn't block on kernels < 3.4, of course warn about that as well. For the latter it is okay, but still a bit akwardly worded. > Starting with net-fs/openafs-kernel-1.6.18.2, this condition is no longer > forced in the ebuild. Considering the security implications of having > CONFIG_DEBUG_RODATA turned off, it is highly advised that you adjust your > kernel config accordingly. Please note that the default setting for > CONFIG_DEBUG_RODATA is "y" and unless you have another reason for keeping > it disabled, we highly recommend that you re-enable CONFIG_DEBUG_RODATA. > > [1] https://bugs.gentoo.org/show_bug.cgi?id=127084 -- -Austin GPG: 00B3 2957 B94B F3E1
signature.asc
Description: OpenPGP digital signature