* Christoph Hellwig <h...@infradead.org> wrote:
> On Sat, Oct 16, 2010 at 02:10:29PM -0700, H. Peter Anvin wrote:
>
> > "Christoph Hellwig" <h...@infradead.org> wrote:
> >
> > > Besides the algorithmic problems with ima, why is kernel.org using
> > > IMA to start with? Except for IBM looking for a reason to jusity
> > > why TPM isn't a completely waster of ressources it's pointless.
> > > And it was only merged under the premise that it would not affect
> > > innocent normal users.
> >
> > I'm confused ... what makes you think we are? This might have been
> > an unintentional misconfiguration...
>
> I didn't mean to imply you enabled it intentionally. In fact it looks
> like the inode tracking in IMA is always on once it's compiled in,
> which totally defeats the purpose of doing it's on iternal inode
> tracking instead of bloating the inode what they originally proposed.
> IMA really needs a kernel parameter to only enabled this crap when
> people actually use it.
That is true.
> And whoever turned it on in Fedora needs some serious wahcking.
And that is false.
This security feature was merged upstream last year, it's not in
drivers/staging/ and the Kconfig help text does not contain any warning
that this is 'crap', so how were the Fedora people supposed to know?
If you are suggesting that distribution kernel maintainers should not
trust upstream kernel feature decisions and are expected to do a line by
line review of the ~40,000 commits that go upstream every year, to make
sure there's no hidden 'crap' in them (and failing that be labeled
incompetent idiots), then you are out of your mind.
It's just not possible to do that nor is it reasonable or efficient:
crap should be caught via hierarchical filtering: when the developer
posts the first patches to lkml, or when it merged into a maintainer
tree, or when it goes upstream or when it is upstream and then, as the
very last (and most expensive) line of defense, it will be caught when
it gets exposure in distributions. Which seems to be precisely what
happened here.
Fact is that Kyle did Linux a _favor_ by enabling the feature in Fedora,
as it allowed the bug/inefficiency/crap to be found by Dave. Linux got
richer as a result as we learned about a bug that affects many people.
Your gratuitous insults against him are highly misguided.
Thanks,
Ingo
_______________________________________________
kernel mailing list
kernel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/kernel
