Torvalds On Pluggable Security Models 216
eldavojohn writes "The KernelTrap highlights an interesting discussion on pluggable security models including some commentary by Linus Torvalds. While Torvalds argued against pluggable schedulers, he's all for pluggable security. Other members were voicing concerns with the pluggable nature of the Linux Security Model, but Torvalds put his foot down and said it stays. When asked why his stance was different between schedulers and security, he replied, 'Schedulers can be objectively tested. There's this thing called 'performance,' that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is hard science. The other one is people wanking around with their opinions.'"
If you read all of it ... (Score:5, Informative)
His complete email reads:
Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis.
Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.
So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".
If you guys had been able to argue on hard data and be in agreement, LSM wouldn't have been needed in the first place.
BUT THAT WAS NOT THE CASE.
And perhaps more importantly:
BUT THAT IS *STILL* NOT THE CASE!
Sorry for the shouting, but I'm serious about this.
Al I alone in thinking that Linux basically says:
"Look I'm no security expert, and I'd be happy to follow your collective expert guidance if only:
(a) you could quantify what you're saying and turn it into engineering instead of a religious argument
(b) the lot of you could agree on *one* set of guidelines/features as being best all-around
Unfortunately it appears you can't do either. That being so, I'm not going to burn my fingers and blindly choose one security boondoggle over all the others. I'll just make them pluggable so that every one of you can have his own personal security system. End of discussion. Now go away and be happy."
Re:Spot on Torvalds... (Score:3, Informative)
Indeed, it's also been showing (RTFML) that scheduler improvements are mostly trivial and generally don't warrant such an effort.
Finally, one must consider that the enormous amount of bugs being introduced by touching so many different areas and applying different algorithms in different cases.
Maybe this is something for consideration with the 3.x branch (Of which Linus has no intention of making), but it seems like a reasonable decision so far given the data.
Re:Spot on Torvalds... (Score:5, Informative)
Re:So we can quantify scheduling performance? (Score:2, Informative)
Hard realtime usually implies severe perfomance penalties. People who really need something like that probably dont use a vanilla kernel.
Torvalds usually doesnt care about something being the best. Its supposed to be good enough.
Using the word best requires you to say for what, otherwise you might as well use a word such as coolest, most geeky, most whatsoever.
Since Torvalds usually cares a lot about efficiency i guess that a plugable scheduler would be less performant.
Re:Good. (Score:3, Informative)
I can't videoconference, edit videos, make mp3s, play video games or make a slideshow in Linux. How about a couple of kernel devs drop off and help Linux go the last mile.
Other than video conferencing (haven't tried), my wife and 13 year old son can do everything on your list (using SuSE, Fedora or Ubuntu).
Shouldn't you be posting questions to http://www.linuxquestions.org/ [linuxquestions.org] or http://www.justlinux.com/ [justlinux.com] ?
You wont get a RTFM response.
Slashdot isn't a Linux help forum.
Enjoy,
Re:Well (Score:2, Informative)
Linus is an asshole.
Ahem (Score:3, Informative)
Re:Spot on Torvalds... (Score:4, Informative)
Re:Scheduler vs Security Plugins (Score:1, Informative)
Only root can load new kernel modules, so you'd have to have the highest permissions to load a new security module into the kernel at runtime.
The integrity of the security module binary would of course depend on your distribution and how you receive new updates over the internet, as well as the security of your file system (permissions should be correctly setup on your filesystem).
Having signed security modules is possible (but is optional, completely isolated and redundant in most cases). This isn't Windows where you are forced to have signed kernel modules/drivers while attackers can work around your security in other ways (patching the binary on your system which does code signing validation, adding new rogue certificates to your certificate store, etc).
Re:Bring deRaadt in for a consult (Score:1, Informative)
irony (Score:2, Informative)
Re:Well (Score:3, Informative)
To some perhaps. To others he's just an effective team leader who makes decisions to focus efforts. The alternative is usually a lot of people flapping around like headless chickens since they don't know which way to go. Worse yet if the thing is run by an ineffective person or committee where development slows to a glacial pace because no patches are accepted or bogged down in protracted politics and debate. If you want to see what the kernel development would look like in those circumstances, look up XFree86, Emacs, Hurd etc.