hi,
Not really here to defend the current setting. But I have run with it set to
1 for several years and have not noticed any real issues.
understood.
and that's been my _personal_ experience as well. it's been necessary for a few bits-n-bobs, and hasn't broken anything that *I* am aware of.
that said, the issue remains that
-- it was widely 'discussed', the dropped &/or forgotten about (?)
-- the default (Fedora & RH, at least) IS =0, and the config *does* have that "stuff will break"-ism.
-- the "password manager" company (1password in this particular case), _requires_ the setting to _not_ break some of their app's 'secure' functionality
when asked about the 'contradiction' with current RH/Fedora defaults and docs, they replied the other day to a user
"After speaking with the team I've collected some more information on the current situation with |ptrace_scope| being set to 1.
While the Fedora man page is technically correct, setting |ptrace| to anything other than 0 "will break programs". A more
realistic take of the system would be that "it has the chance to break some program functionality".
Applications that depend on the ability to perform arbitrary |ptraces| for functionality other than debugging are uncommon
and it is a better practice to temporarily disable |ptrace_scope| rather than allow the setting to always be available.
This warning applies to a few edge cases and is unlikely to impact your system usage. However,
the command |sudo sysctl -w kernel.yama.ptrace_scope=1| is a temporary variable that is reset upon restarting your device."
Ignoring the fuzzy hand-waving and lack of a clear statement, it leaves deployments to RH/Fedora + 1password users in a pickle -- which vendor's guidance do you believe/trust?
What *I* control, *I* can change. But it's an uphill push to say "Ignore Redhat" or "Ignore 1password" to others.
It'd be much cleaner if RH/Fedora & 1password hashed it out, and came to some reasonable outcome, or at least clear guidance / documentation.
Particularly as Ubuntu/Debian already appear (?) to have made the switch to =1.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue