| trulux | willy, yeah, ok ;) |
|---|---|
| marcelo | trulux, OK? |
| damjan | How about including CIFS in 2.4? |
| damjan | Is it non-distubing enough? |
| willy | can't you people wait 6 minutes for the q&a session to |
| officially start? ;-) | |
| damjan | sory |
| trulux | marcelo, ok, i was just wondering for your opinion, some |
| people think that i'm doing a worthy job backporting selinux, others think i | |
| got perverted by some time of nonsense idea and others just say it may be OK | |
| willy | trulux: there's no reason that marcelo has to accept your |
| backport for it to be useful, of course. | |
| trulux | and backporting it it's not my first priority, anyway, it's a |
| thing i like to do to learn, when you are young you like those things ;) | |
| trulux | willy, yes, i was just wondering for his opinion |
| trulux | and also, but this one is offtopic in a not reasonable |
| manner, ask for help to someone who wants to care on it | |
| willy | personally, I think you'd be best off chasing down problems in |
| 2.6 that prevent Debian from using it ... though I appreciate that's a lot | |
| less fun ;-) | |
| trulux | rotfl |
| EricB | AOLism detected - shields up. |
| marcelo | trulux, sure your backport will be useful for a lot of |
| people - just not a candidate for v2.4 inclusion, as willy says. | |
| marcelo | They are different things :) |
| trulux | marcelo, and how's the policies for patches and enhancements |
| acceptance for 2.6? | |
| trulux | i want also to talk about some ideas, about NX |
| implementations and other stuff, dunno if i would get kicked before or after | |
| of each question | |
| trulux | ;) |
| riel | does anybody want to ask the first question ? |
| trulux | davej, i've backported the selinux hooks for mount contexts |
| used in Fedora, what changes are needed outside the LSM/SE structure to make | |
| them working smoothly? | |
| trulux | riel, hands up |
| trulux | :) |
| Daedius | lol |
| REAL | lala.. |
| joined #qc | |
| rene | gregkh: what is your opinion of the current state of the device |
| model? anyspecific directions you want it to go which it isn't yet? | |
| davej | ooh, good one. |
| mjt | another question: where's Rusty? ;) |
| mcr | I have been using User-Mode-Linux for nightly regression testing |
| of the KLIPS IPsec code. This has proven very effective. I would like to see | |
| more use of UML for regression testing of non-hardeware driver related items. | |
| Perhaps the assembled people could tell us what is keeping them from testing | |
| more extensively with UML. | |
| weasel | Not a very technical question, but one regarding release |
| policy. Currently it often takes many weeks | |
| weasel | until known security problems get fixed not only in BK, but in |
| a release. Do you intent to make use | |
| trulux | riel, what's the opinion of the kernel hackers on NX |
| implementations and memory protection enhancements: Exec Shield, PaX.... etc? | |
| weasel | of x.y.z.N releases wich fix such critical bugs quickly in the |
| future, or at least make patches more | |
| weasel | widely known? |
| trulux | also, is there any intenttion on providing a CSRNG as optional |
| replacement for the standard RNG? | |
| willy | could you expand 'CS' in that context? |
| EricB | It seems that most vendors now ship their own kernel. Is this |
| becoming a problem or are the vendors being good about submitting patches for | |
| inclusion in linux? | |
| damjan | gregkh: while on the device model, is power management all |
| right, but drivers implement it poorly or it needs work too? | |
| REAL | lala.. |
| trulux | willy, Cryptographic Strong Random Number Generator |
| rene | gregkh: thank you |
| willy | trulux: SHA-1 is cryptographically strong ;-) |
| gregkh | rene: you're welcome. |
| trulux | willy, SHA1 has collisions AFAIK |
| willy | you're thinking either of MD5 or of SHA-0; in either case, you |
| can't control enough of the entropy being mixed into the entropy pool to matter | |
| trulux | and also, random.c doesn't have complex entropy pool feeding |
| routines | |
| trulux | willy, let me give you the address of jlcooke's Fortuna CSRNG |
| patch | |
| willy | oh. jlcooke is a crank, ignore him ;-) |
| trulux | willy, lol |
| trulux | willy, http://jlcooke.ca/random/ |
| trulux | i noticed the patch by an email from him, asking for inclusion |
| in hardened debian kernel sources | |
| mb_ | Maybe you want to read this on MD5|SHAx collisions: |
| http://www.rsasecurity.com/rsalabs/node.asp?id=2738 | |
| trulux | mb_, from RSA ... why they should want to say it's not? |
| trulux | mb_, there were lots of comments on that |
| trulux | anyway, i don't care of that, i simply change to another thing |
| which people does not talk worst on it | |
| trulux | (aes256 and sha256) |
| mb_ | trulux: tiger? |
| trulux | mb_, i wa stalking about this: http://jlcooke.ca/random/ |
| Hackers. "Q&A about linux kernel. Closing Ceremony". ' | |
| trulux | riel, what about my question about NX implementations? |
| riel | trulux: in a minute |
| trulux | kay |
| roel | with the new development model, having a less stable-on-all-times |
| kernel, won't we depend even more on patched distribution kernels? | |
| ducky | marcelo hello, nice day, what about your experiences as the 2.4 |
| kernel mantainer? | |
| trulux | riel, also, is the FreeBSD jails port going to be integrated |
| into the kernel? | |
| trulux | <riel> however, I think that the security conscious (aka |
| paranoid) system administrators are not the main target for these patches | |
| trulux | riel, not really.i think the so-called zero-day exploits are a |
| good example to show up the priority of applying those enhancements | |
| trulux | sure there are people having a few archives of them |
| trulux | also, the line is no straight, and maybe we have many "enemies" |
| that could put money, effort and people in researching on those security breaks | |
| trulux | to expose negative results on the open source or free software |
| movement | |
| trulux | even in any of its related projects |
| trulux | and compromising, weaking, fscking, messing up stuff over there |
| and there | |
| trulux | without difficulties |
| riel | trulux: good point, you are right about zero day exploits |
| trulux | riel, there are no conspiracys, but there are some parts |
| interested on mess and f*ck up our work | |
| trulux | conspiracies |
| trulux | and get money back from it |
| riel | want me to answer your BSD jail question in a bit ? |
| trulux | riel, yes, if you want ;) |
| riel | there are a few other questions "in the queue" first, though |
| trulux | ok |
| trulux | np, i will continue making noise here ;) |
| roel | what about projects like linux from scratch? |
| roel | there's no distribution kernel there |
| benk | riel :) is bsd distributions have tools for pkg managing |
| diferents than pkg_tool? than could make the task easier like gentoo does? | |
| warren | roel, linux from scratch is not for serious production use. Or |
| rather you have too much time on your hands if you do. | |
| mb_ | I've been always running vanilla kernels and I had very few |
| crashes (once a year was often). Now directly after the new development model | |
| started, I have crashes every week. At the moment I have a crash per day at | |
| least, gregkh | |
| roel | not true, you can make a very good production server with it |
| gregkh | mb_: report the bugs at bugzilla.kernel.org so we know to fix |
| them. | |
| warren | mb_, anecdotal accounts of individuals are not indicative of an |
| overall trend. | |
| mb_ | yeah, but it is a fact as I describe it here. |
| mb_ | I do that. gregkh |
| gregkh | mb_: then report it so it is fixed. otherwise it never will |
| be. This is a community. | |
| gregkh | mb_: great. |
| ducky | what do you think about, whats the most strong barrier to the |
| enterprises to migrate all their servers to 2.6 | |
| mcr | long live the IBM mainframe! |
| trulux | ducky, when they use specific stuff |
| trulux | and less than 4 cpus |
| trulux | ;) |
| mcr | ducky, the totally untested IPsec stack. |
| trulux | mcr, THAT'S WHEN NOT USING oPENSWAN |
| trulux | oops |
| trulux | sorry of the caps |
| EricB | wow |
| trulux | EricB, that's the thing that happens when you turn |
| window-to-window and coding stuff in other place | |
| trulux | "i forgot the caps" ;D |
| EricB | I don't have a capslock :) |
| mcr | trulux, 2.6 has a broken ipsec stack. that's something that keeps |
| people from migrating. if you can't run 2.6 on the desktops or the gateways, | |
| then why bother with the servers... | |
| trulux | yeah |
| trulux | another reason to add to my I-Apologize-for file in the topdir |
| of the selinux backport | |
| warren | davej, -ac kernels are not always "stable" only feaures |
| weasel | thanks |
| davej | warren: *nod* a more conservative approach would be a useful |
| thing to have. | |
| ducky | thanks mcr |
| EricB | it would be nice to at least see official security patches even |
| if a security point release is never created | |
| trulux | EricB, it could be great to create a team of volunteers to |
| maintain an official secured vanilla kernel | |
| trulux | with secured meaning: having security enahncements and so on |
| trulux | riel, what do you think? |
| gregkh | trulux: step up and do it. |
| willy | I'm mulling over volunteering for that position |
| EricB | not even enhancements just patches to the current point release |
| mcr | wasn't there a distro that planned exactly that? I met a guy at |
| OLS... seatle or something. | |
| EricB | for known problems |
| warren | trulux, a while ago somebody began a site with "only bugfix |
| patches" for each kernel. Don't know if they continued. | |
| EricB | something very basic to get buy until the next point release |
| where those patches would be included | |
| ducky | thanks a lot :) |
| trulux | gregkh, i can do it, but maybe i'm not the best one |
| trulux | anyway, i'm a good kamikaze in effort terms |
| EricB | that would eliminate the lag time between security fixes as well |
| as alowing people like -ac to keep not have to worry about people using their | |
| release for basic security fixes | |
| willy | Need more questions ;-) |
| willy | (please repeat it if you asked one that hasn't been answered yet) |
| EricB | Is there going to be any effort made to split up the source by |
| arch? Most people only need one or two | |
| trulux | btw, it would be great to provide an official wiki on the |
| kernel sites to write collaborative-style documentation, etc | |
| gregkh | EricB: that's in the lkml FAQ. |
| mcr | Q: my question wasn't answered by anyone other than riel. I'd like |
| to know if the others have thought of using UML. | |
| EricB | oh :) |
| EricB | sorry. |
| riel | mcr: people have used it, I know some cluster developers are |
| trulux | gregkh, we can try to make some movements for that, what do you |
| think that should be done first? | |
| left #qc | |
| gregkh | mcr: I can't use uml, due to the driver work. |
| gregkh | trulux: i have no idea, good luck. |
| trulux | gregkh, heh a good luck does not help a lot, i'm in lack of |
| infrastructure | |
| riel | does anybody else (who has not asked a question yet) want to ask |
| a question ? | |
| mb_ | What about the BKL. Can we expect that there will be the day when |
| it disappears? Is work going on there? | |
| EricB | gregkh Yeah I feel like kind of a dipshit now :) |
| gregkh | EricB: don't. |
| ducky | what about the ideas about the aperture of the 2.7 tree, what |
| features should it have? | |
| trulux | willy, what do you mean by someone in charge of security |
| bugfixes? | |
| willy | trulux: someone who maintains a -secure tree, basically. Watch |
| for patches going into the kernel that're security related and produce a tree | |
| based on that. | |
| ducky | thanks marcelo :) |
| EricB | willy I think that's a great idea |
| trulux | willy, it would be great, what type of security enhancements |
| among the bugfixes? | |
| gregkh | trulux: ah, it's a slippery slope down from there... |
| willy | If I were doing it, I'd only include actual bugfixes. |
| rene | gregkh: I believe the console stuff is still a big BKL user? I |
| believe it's likely to move to (early-)userspace? | |
| willy | ie nothing that wouldn't go into Linus' tree. |
| gregkh | rene: I don't know. there's no big performance need for the |
| console stuff :) | |
| rene | while on the topic. where _is_ early userspace? :) |
| rene | gregkh: some sanity need, though... |
| trulux | willy, and where it could be hosted? |
| mb_ | When I looked at the VFS code I saw lots of lock_kernels() which |
| protect the not so often used operations (others then open/read and write). | |
| Aren't they a candidate to go away soon? | |
| warren | Q: Are we still plagued by VM balancing problems? Will there |
| ever be an end to it? | |
| tklauser | How do driver developers and lowlevel hackers test their |
| code? Isn't it difficult to debug code at such a low level? | |
| warren | tklauser, that's what users are for. =) |
| tklauser | warren: *g* |
| tklauser | Yeah, but I mean one can't put out a driver which doesn't run |
| at all and leave it to the users to test it. | |
| tklauser | willy: Thanks for your answer. |
| damjan | What's the general feeling amongst the main kernel hackers |
| about user-space filesystems (like FUSE), will it go in mainline? Also what | |
| about per-user (or per process) VFS namespaces ... Also what about overlay | |
| mounts? | |
| rene | gregkh: thanks for the ml pointer. didn't know there _was_ a ml... |
| gregkh | tklauser: I've done just that before, and then debugged by |
| email as I didn't have the hardware to even test it. | |
| riel | does anybody else have a question ? |
| riel | we should probably close this session some time within the next |
| 20 minutes, so now is the time te ask ... | |
| drizzd | Will the upstream kernel ever be capable to provide hard real |
| time scheduling? | |
| tklauser | gregkh: So basically you just have to have enough experience |
| (and maybe confidence in your code) to do something just right from the | |
| beginning and then just leave it to other people to test it? | |
| krocz | riel: how hard would it be to run grsecurity with xen? |
| EricB | :) |
| warren | Q: On the topic of filesystems, what will it take to enable use |
| of mount --bind -o ro to have a filesystem read-only in one location, | |
| read-write in another simultaneously? Existing patches (from vserver authors) | |
| against 2.6 were rejected a few months ago. Any further work in this | |
| direction? | |
| gregkh | tklauser: sure, whatever you feel comfortable with. It depends |
| if you can handle public criticism or not :) | |
| tklauser | gregkh: OK. Thanks for your answer. |
| ducky | :) |
| krocz | what parts of the linux kernel does Xen patch? |
| EricB | Is there going to be any move for copy on write file copies? |
| This would beat the pants off of LVM snap for taking db backups | |
| tklauser | krocz: AFAIK Xen doesn't patch the kernel at all. |
| rene | gregkh: where is the klibc ml? google isn't finding it for me, |
| only hitting lkml | |
| warren | Q: What about the ext3 COW stuff discussed a few months ago. |
| Is there any possibility of making this work transparently in the future | |
| upstream kernel? | |
| damjan | I also have a question about improving robustness of the |
| kernel, if you got processes stucked somewhere in the kernel (waiting on NFS, | |
| CIFS or bad CD) the only thing you can do is a restart ... can something be | |
| done about it? Another example is a usb-hdd (sd_mod + usb-storage) with | |
| reiserfs on it... the laptop got suspended, the usb-hdd removed (although | |
| mounted) ... but that operation had bad effects on /dev/hda3 (/home) because | |
| it was also reiserfs... | |
| tklauser | krocz: Sorry I mixed that. You may want to read |
| http://www.cl.cam.ac.uk/Research/SRG/netos/xen/faq.html | |
| gregkh | rene: http://www.zytor.com/mailman/listinfo/klibc |
| rene | thank you |
The Organizing Comittee
