Re: Reasons for Inclusion

• Previous message: jmjonesat_private: "Re: Reasons for Inclusion"
• In reply to: jmjonesat_private: "Re: Reasons for Inclusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

well, I would have to agree this is probalby the wrong place to ask.  I
would guess most people here are coding on this b/c they feel/felt it
should exist and hope it is brought into the kernel.  Kind of like
asking ford if a car should be made.

However, I have been a silent bystander monitoring this list since it
was created a while ago, I have neither contributed code or comment on
the project.  I have been highly interested in this project b/c (for me)
it allows a great deal of ease to my life.  I know I'm biased so please
take that into consideration.  

I am currently responsible for a small server farm (about 50 boxes) as a
backend to 2500 workstations, and pushed to get five 9 out of the
servers.  As a prime example we have a Linux box with samba that
provides general use storage to hold NT profiles and a home
drive(general storage) for 12,000 users.  I have never found another way
to test things for this server(or others like it) other than production
loads.  I can't simulate 2000 logon's, shift changes, someone decides to
store dvds on it, and etc. across an entire network(there are programs
that try, but for some reason nothing turns up a bug like using
something for real).  I can't have multiple test boxes b/c it is next to
impossible to keep active data in real time sync(terrabytes of space, 10
of millions of files).  We have backup servers that are constantly
syning, but a straight rsync takes 6 to 20 hours(depending on how far
out of sync the boxes are).  Down time has to be planned months in
advance.  I can not afford to be patching this box on regular
intervals(new grsecurity patch, new lids patch, and so on).  We used xfs
on the box for some time, however I was just able to move back to ext3
b/c I had to baby the server for an extra week waiting on a new xfs
patch to come out(during the whole vm change over)  At one point(several
years ago), this same server was stuck bouncing around in the 2.2 series
kernel b/c apple talk under a load on a 2.2.13-2.2.16 kernel would
kernel panic the machine.  To have a method to secure the box, update
those security patches with modules, the ability to change kernel first
to get stability then load a new lids patch or something in afterword...
I highly welcome this.  I have a bunch of servers that are not as
critical or much easier to deal with b/c they are load balanced, and
fail over.  Simply patching these servers with some "outside kernel
patch" is acceptable.  However, on other servers I have to stay away
from many patches I would like to apply b/c I can not afford the
downtime or wait while one group creates patches for a new kernel.  

I could go on listing reason's until my fingers hurt typing.  I don't
code on lsm, however I do welcome it into the kernel.  I might not even
use lsm on some boxes(that are not exposed to security risk[you know the
ones in the bottom of a lake{I guess that would still be a dos of the
lake}]), but I won't compile lsm on those boxes, just like I don't
compile in bluetooth, ham radio, or many of the other features that have
no interest or use to me(I'm still glad to know they are there if I
decide to take up ham radio or buy a blue tooth printer).

So as an outsider not involved in the development, I cast my vote of
interest and acceptance.  

--robert


On Fri, 2002-03-22 at 19:26, jmjonesat_private wrote:
> 
> I publicly apologize for asking this question.  I didn't know it would
> result in such motivated responses.
> 
> I accept Greg K-H's response: "because Linus said he might accept it."
> 
> 
> Sincerely,
> J. Melvin Jones
> 
> *-------------------------------------------------------
> * J. Melvin Jones                http://www.jmjones.com/
> * Webmaster, System Administrator, Network Administrator
> * ------------------------------------------------------
> 
> _______________________________________________
> linux-security-module mailing list
> linux-security-moduleat_private
> http://mail.wirex.com/mailman/listinfo/linux-security-module

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Casey Schaufler: "Re: Reasons for Inclusion"
• Previous message: jmjonesat_private: "Re: Reasons for Inclusion"
• In reply to: jmjonesat_private: "Re: Reasons for Inclusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 18:08:10 PST