> On Apr 23, 2019, at 4:38 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > >> On Tue, Apr 23, 2019 at 11:47 AM Andy Lutomirski <luto@xxxxxxxxxx> wrote: >> >> Hmm. I suppose an alternative would be for vdso_install to fail if >> the vdso isn't built? > > I absolutely abhor even the concept of building the kernel as root, > and I think it should be actively disallowed. Our build system is > good, but it's good as in "clever and complex" rather than necessarily > good as in "very secure". > > So anybody who builds the kernel as root is doing something seriously > wrong, in my opinion. > > That's partly exactly _because_ we have a lot of magical and very > powerful build rules, and complicated implicit things going on. > > For example, our dependencies aren't even about just the files in the > kernel repository itself, we have clever things like "if the compiler > has been updated and features or version changes, we'll automatically > rebuild, because it's part of our clever build system checks". > > But that is also part of the reason why I absolutely do *not* want any > root-building to happen, because our build setup is simply way too > clever. > > If root builds stuff, you'll end up with root-owned generated > subdirectories or various config files etc, and even if you don't have > security issues, it can complicate the build later as a regular user. > > I've had the build occasionally fail in odd ways, because some > root-owned file was now no longer removable (usually it's the > auto-generated header files in the directory, and the root-generated > and owned directory is now not writable by the developer any more). > And every time it happens, I shudder. > > So all of that simply boils down to "root should not be running those > complex rules for our config and dependency magic". > > At the same time, "make install" obviously needs to be done as root. > > All of which is why I opine that "make install" should never build > anything at all, it should purely be used as a "install previously > built files". > > So yes, I'd much prefer just failing over trying to build as root (or > even trying to figure out dependencies as root). > >> What's the ideal outcome here? > > I'd basically like the rule for "make install" to be that it never > ever generates a single file in the build tree, so that there are > never any root-owned (or root-overwritten) files there. > > So "make install" should even avoid all dependency checking, for the > simple reason that if you happen to do a system update between "make" > and "make install", our smart dependencies should never say "oh, the > compiler version has changed, so now I'll rebuild everything as root > just because 'make install'". > > So I think the ideal outcome is just "fail if you can't find the files > to install". > > To clarify, this is “fail if you can’t find the files to install, but don’t even try to check whether those files are up to date”, right?
