On Wed, May 06, 2020 at 02:29:48AM +0200, David Sterba wrote: > Back to the example. The problem with deprecation hasn't been brought up > so far but I probably lack imagination _how_ can an attacker choose the > algorithm in the context of the filesystem. They just set the field on-disk that specifies the authentication algorithm. > If some algorithm is found to be broken and unsuitable for > authentication it will be a big thing. Users will be sure told to stop > using it but the existing deployments can't be saved. The support from > mkfs can be removed, kernel will warn or refuse to mount the > filesystems, etc. but what else can be done from the design point of > view? Require that the authentication algorithm be passed as a mount option, and validate that it matches what's on-disk. - Eric
