On Tue, Dec 06, 2011 at 03:09:12PM +0100, Marcus Meissner wrote:
Hi,
I think it is a very deep conceptual issue and a very deep difference in thinking about availability of features...
"As close and restricted as possible" vs "allow as much as possible".
Lets see two cases:
If you are building a nuclear power plant, you want everything specified and doing exactly the thing you want it to do, but nothing more. You want everything documented, proven to be only there if needed, and doing just the things it needs to do.
If you are building an experimental herb and flower garden, you want random influences and as much potential as possible.
A secure Linux server sadly should act more like a nuclear power plant as break ins will cause fallout than a herb garden.
Again, what specifically is wrong with debugfs that is causing problems? Is it just the fear of the unknown? procfs "leaks" more system information today than debugfs does, do you want to not allow that to be mounted as well? This "fear of the unknown" for a feature of the kernel that has been there for a very long time is quite strange to me. And again, if there are problems found with any type of security related information leakage that should not be there in debugfs, let us know, it will get fixed. But don't outright ban the thing just because you are "afraid" of it, that's wrong. thanks, greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org