On Tue, Mar 15, 2016 at 1:14 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote: > > Root can still change the group id of a file that has exposed stale > data and hence make it visible outside of the group based > containment wall. Ok, Dave, now you're just being ridiculous. The issue has never been - and *should* never be - that stale data cannot get out. The only issue is that we shouldn't make it ridiculously easy to make silly mistakes. There's no "group based containment wall" that is some kind of absolute protection border. Put another way: this is not about theoretical leaks - because those are totally irrelevant (in theory, the original discard writer had access to all that stale data anyway). This is about making it a practical interface that doesn't have serious hidden gotchas. So stop making silly theoretical arguments that make no sense. We should make sure that we have _practical_ rules that are sensible, but also not painful enough for the people who want to use this in _practice_. Reality trumps everything else. If google is already using this kind of interface, then that is _reality_. Take that into account. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html