thoughts on modules-extra subpackage...
John W. Linville
linville at redhat.com
Tue Dec 6 21:55:04 UTC 2011
On Tue, Dec 06, 2011 at 04:19:35PM -0500, Chuck Ebbert wrote:
> On Fri, 2 Dec 2011 13:38:51 -0500
> "John W. Linville" <linville at redhat.com> wrote:
>
> > As for the stated benefits... I'm skeptical of the security argument.
> > I mean, I can believe that a module could get accidentally or
> > inadvertantly loaded and then exploited. I just think that closing
> > those holes is a better plan.
>
> Unfortunately, network modules will be autoloaded if a program opens
> a socket with that protocol. They've talked about securing that, but
> it never happened.
That seems more realistic for a protocol module (e.g. sctp) than
for a queueing discipline (e.g. sch_sfb) or a TCP congestion control
algorithm (e.g. tcp_westwood).
> And there is a long history of security bugs being found in the new
> and/or infrequently-used modules.
That's probably true. I still wonder if that is common enough to be
worth the change.
John
--
John W. Linville The water won't run clean until you get
linville at redhat.com the pigs out of the creek.
More information about the kernel
mailing list