Re: New stacker performance results

From: Crispin Cowan (crispin@private)
Date: Wed May 25 2005 - 17:24:48 PDT

Previous message: James Morris: "Re: New stacker performance results"
In reply to: James Morris: "Re: New stacker performance results"
Next in thread: James Morris: "Re: New stacker performance results"
Next in thread: Bob Bennett: "Re: New stacker performance results"
Reply: James Morris: "Re: New stacker performance results"
Reply: Chris Wright: "Re: New stacker performance results"
Reply: Thomas Bleher: "Re: New stacker performance results"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

James Morris wrote:
>On Wed, 25 May 2005, Crispin Cowan wrote:
>  
>>As a supplier of a different security module than SELinux, I naturally
>>vehemently object to the suggestion of "just remove LSM and use SELinux
>>instead." That would be a huge step backwards. Linux is all about
>>choice, and LSM effectively provides for that choice.
>>    
>In the years since LSM was included in the mainline kernel, SELinux has
>been the only significant module implemented and also included in the
>mainline kernel.  So we have a generalized framework for one user, 
>SELinux, which itself is a generalized framework.
>
>Note: out of tree kernel code does not count for anything.  It's not
>really part of the Linux kernel.  Mainline maintainers don't care about it
>and should not be expected to.  If you want them to care, for people to
>fix bugs in it for free, and for more people to use it, then submit the
>module for upstream inclusion.  It seems rather strange that you haven't.
>  
I find this to be a very odd perspective.

I think of LSM as an API. Its purpose is precisely to provide a layer of
abstraction so that kernel maintainers do *not* have to maintain the
modules. Linus said *very explicitly* that he did not want to maintain
security modules, and that was the point of LSM.  I know of a large
number of LSM modules in development all over the place, and discounting
them just because they have not been imposed on the kernel community
seems arbitrary. So this "does not count" stuff sounds like a
contrivance to me.

I had *assumed* that the Linux kernel community was not interested in
maintaining and bugfixing my module, and so I deliberately avoided
submitting it as a courtesy. I similarly do not submit my applications
for mainline inclusion just because they use some Linux syscalls.

However, if mainstream kernel inclusion is required to "count" as a
user, then I'm happy to do that. The module code is GPL anyway, and
we'll start looking at what it will take to push it to mainstream. This
seems like a weird requirement to me, but if it is what's required, I
don't have a problem with it.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Previous message: James Morris: "Re: New stacker performance results"
In reply to: James Morris: "Re: New stacker performance results"
Next in thread: James Morris: "Re: New stacker performance results"
Next in thread: Bob Bennett: "Re: New stacker performance results"
Reply: James Morris: "Re: New stacker performance results"
Reply: Chris Wright: "Re: New stacker performance results"
Reply: Thomas Bleher: "Re: New stacker performance results"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 17:25:45 PDT