Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just addressing this one comment from a process point of view; I'll
come back to the technical part later.

On Sat, 2018-01-27 at 21:46 -0500, Theodore Ts'o wrote:
> (And then you can get some of the "the IMA people are insane" taint
> on yourself.  :-)

Can we please stop it with the "all IMA people are insane" mantra.

I think we've created this problem, for all security people not just
IMA, ourselves to some extent:  We think they're insane, so we don't
listen to what they want.  They go and implement a complicated layering
system to get what they need and we congratulate ourselves that they
were insane because of the tasteless layering violations they've just
committed.  The average security person, as ably created by us, has a
mind that automatically thinks in terms of convoluted external
layering, for which we just drive them further away.

IMA has demonstrated a willingness to work with fs people to try to
clean up the layering problems over the past year or so, including
attending the last LSF/MM to discuss it.  Sure, they're going to have
relapses into the layering mindset (fstype policies springs to mind),
but the test is their willingness to listen to the correct way of doing
things, which I think they're currently passing.

Why don't you try working with them instead of starting from the a-
priori axiom that you can't because they're insane?  They do have years
of experience of what the industry is looking for in security terms,
which we should make use of.  Doing security ourselves because we can't
work with security people is a recipe for eventual tears.

James




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux