On Tue, Jun 13, 2023 at 07:04:12PM -0700, Darrick J. Wong wrote: > > Well in that case, post a patchset adding "depends on INSECURE" for > every subsystem that syzbot files bugs against, if the maintainers do > not immediately drop what they're doing to resolve the bug. > > Google extracts a bunch more unpaid labor from society to make its > owners richer, and everyone else on the planet suffers for it, just like > you all have done for the past 25 years. That's the definition of > Googley!! To be fair, I don't think this is the official position of Google, but rather Dmitry's personal security ideology (as Dave put it). Dmitry, tell you what. If you can find a vice president inside Google who thinks this that preventing an attacker who has the ability to modify a block device while it is mounted, while running code under the control of the attacker, from being to potentially trigger the ability to run ring 0 code --- and who believes it enough to actually **fund** a headcount to actually work these syzbot reports --- I'll gladly help to supervise that person and mentor their ability to work these ext4 syzbot reports. But I think you will find that the VP's will believe that this is not a threat that has a genuine business case which is important enough that they are willing to fund it. And I'm saying as an upstream developer, *other* syzbot reports are higher priority, because in my judgement, they are much more willing to impact real users, and are more likely to be issues that management chain would consider higher priority. (Never mind that *all* of my syzbot work has been done on my own time.) For those of us who are working with limited resources, and doing this work out of the kindness of our hearts, it would be nice to filter out those syzbot reports that in our best judgement, constitute **noise**. If there is not a good way to filter out the noise, it is likely that upstream developers will choose to use their time working with other tools that are better suited to getting our job done as we understand it. So far, there is been a lot work done by folks on your team which has made syzbot easier for us to use, and for that, I thank you. But your position on forcing your ideology of which security bugs I should fix on my own time is.... annoying. And if others feel the same way, your attitude is going to be counter-productive towards the goals you have towards making Linux more secure. Sometimes, the "best" is the enemy is the "good enough". And in this era of Google's "sharpened focus" or Facebook's "year of efficiency", very often, "good enough" is all the vice presidents are willing to fund. Best regards, - Ted
