Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
kdbus in the kernel
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 20, 21, 22 ... 25, 26, 27  Next  
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3793
Location: Dallas area

PostPosted: Tue Jul 07, 2015 10:54 am    Post subject: Reply with quote

The kdbus crowd has given up on trying for 4.2 kernel and are aiming for 4.3.

So expect more "changes" soon, though they will only be cosmetic and not in the direction that the kernel devs have said is needed to get ACKs for their code. :roll:
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
arnvidr
Guru
Guru


Joined: 19 Aug 2004
Posts: 591
Location: Oslo, Norway

PostPosted: Wed Jul 08, 2015 6:50 am    Post subject: Reply with quote

Anon-E-moose wrote:
So expect more "changes" soon, though they will only be cosmetic and not in the direction that the kernel devs have said is needed to get ACKs for their code. :roll:
They're not cosmetic at all, it seems, only bug fixes and the like. Which naturally has nothing to do with the reasons people NACKed it. Because "the design is valid" :p
_________________
Noone wrote:
anything
Back to top
View user's profile Send private message
mrbassie
Guru
Guru


Joined: 31 May 2013
Posts: 527

PostPosted: Wed Jul 08, 2015 3:46 pm    Post subject: Reply with quote

Pardon my ignorance but what does 'nack' stand for (I'm assuming it's an acronym)?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Wed Jul 08, 2015 4:27 pm    Post subject: Reply with quote

mrbassie wrote:
Pardon my ignorance but what does 'nack' stand for (I'm assuming it's an acronym)?

mrbassie ... I've always taken it to be derived from Negative-Acknowledge Character (so "a negative response"), but I'm not sure why exactly I made that assumption ... perhaps because many kernel components use NAK/NACK, i2c for instance.

best ... khay
Back to top
View user's profile Send private message
gwr
Apprentice
Apprentice


Joined: 19 Nov 2014
Posts: 194

PostPosted: Thu Jul 09, 2015 11:58 am    Post subject: Reply with quote

Quote:
Drop unused features. This includes KDBUS_MSG_MAX_ITEMS, required attach
flags on buses and filtering oneself on broadcasts. Those were all unused
and I haven't seen any code using them now. As there is no need for them,
drop support for them.
We do _not_ break ABI, so old code still works. But we lack support for
those features now. If anything turns up, we might have to revert these.
But I really doubt that.


http://lkml.iu.edu/hypermail/linux/kernel/1507.0/02970.html

I don't understand... they didn't break the ABI and old code works but they lack support for them? Does not compute.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42850
Location: 56N 3W

PostPosted: Thu Jul 09, 2015 12:04 pm    Post subject: Reply with quote

gwr,

embrace, extend, extinguish ... It's Red Hat following the Microsoft path.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Jul 09, 2015 3:43 pm    Post subject: Reply with quote

gwr wrote:
Quote:
Drop unused features. This includes KDBUS_MSG_MAX_ITEMS, required attach flags on buses and filtering oneself on broadcasts. Those were all unused and I haven't seen any code using them now. As there is no need for them, drop support for them. We do _not_ break ABI, so old code still works. But we lack support for those features now. If anything turns up, we might have to revert these.
But I really doubt that.

I don't understand... they didn't break the ABI and old code works but they lack support for them? Does not compute.

gwr ... you're not misunderstanding it properly. When it says "unused" it means "now" in the future, those "unused" features "lack support" (retroactively) ... they can't be supported "now" because they don't exist now. In the future any features lacking support "now" will be retrofuturised so that the ABI will not break anything "unused" in the past. See, simple.

best & chuckles ... khay
Back to top
View user's profile Send private message
gwr
Apprentice
Apprentice


Joined: 19 Nov 2014
Posts: 194

PostPosted: Thu Jul 09, 2015 4:39 pm    Post subject: Reply with quote

khayyam wrote:
See, simple.


It seems easy when you put it like that.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10179
Location: Somewhere over Atlanta, Georgia

PostPosted: Fri Jul 10, 2015 2:47 pm    Post subject: Reply with quote

khayyam wrote:
mrbassie wrote:
Pardon my ignorance but what does 'nack' stand for (I'm assuming it's an acronym)?

mrbassie ... I've always taken it to be derived from Negative-Acknowledge Character (so "a negative response"), but I'm not sure why exactly I made that assumption ... perhaps because many kernel components use NAK/NACK, i2c for instance.
You obviously have a knack for explaining such things.;)

Sometimes in the most geeky of discussions, you'll see someone reply with 0x06 (hexadecimal for ACK in ASCII) or 0x15 (hexadecimal for NAK in ASCII) to indicate agreement or disagreement respectively, but this level of geekiness if mostly just annoying, akin to leetspeak.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.


Last edited by John R. Graham on Fri Jul 10, 2015 3:04 pm; edited 1 time in total
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5596
Location: Removed by Neddy

PostPosted: Fri Jul 10, 2015 3:04 pm    Post subject: Reply with quote

popcorn time.

An NSA employee has waded into the mess that is KDBUS

http://lkml.iu.edu/hypermail/linux/kernel/1507.1/01758.html

It appears KDBUS has the ability to fake credentials because a solution for all the userland DBUS applications had to be found :)
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
gwr
Apprentice
Apprentice


Joined: 19 Nov 2014
Posts: 194

PostPosted: Mon Jul 13, 2015 8:31 pm    Post subject: Reply with quote

Naib wrote:
popcorn time.

An NSA employee has waded into the mess that is KDBUS

http://lkml.iu.edu/hypermail/linux/kernel/1507.1/01758.html

It appears KDBUS has the ability to fake credentials because a solution for all the userland DBUS applications had to be found :)


Interesting how that thread just died. Does no one care?
Back to top
View user's profile Send private message
saellaven
Guru
Guru


Joined: 23 Jul 2006
Posts: 494

PostPosted: Tue Jul 14, 2015 12:47 am    Post subject: Reply with quote

gwr wrote:
Naib wrote:
popcorn time.

An NSA employee has waded into the mess that is KDBUS

http://lkml.iu.edu/hypermail/linux/kernel/1507.1/01758.html

It appears KDBUS has the ability to fake credentials because a solution for all the userland DBUS applications had to be found :)


Interesting how that thread just died. Does no one care?


Not sure where else they can go... to sum up:

A: kdbus can fake credentials
B: That's because it needs to in order to support dbus1 apps
A: But it's a security risk
B: Won't someone think of the applications?!!?! There are millions of legacy dbus1 apps that we need to support with kdbus
C: "But this is more like "userspace is broken, lets port it into the kernel and keep the brokenness while doing so thus setting the brokenness in stone" due to the first mantra." / "ok, we have some userspace functionality that we need to be compatible to it, but in order to do this, we need to do something in the kernel that is broken by design"
A: why don't you just use a socket for dbus1 compatibility?
D: But we'll break java and haskell since they depend on dbus1
E: "If kdbus is better (or even just cooler or more popular) the change over will be swift and painless. The *only* reason that won't be true is if the benefits of kdbus are unclear, in which case it shouldn't be adopted" / "There are so many ways uids are being (miss/ab)used on Linux systems these days that the idea of trusting a bus just because its non-root uid is listed in a table somewhere (or worse, coded in an API) is asking for exploits."
E: "There is absolutely no reason to expect that these two examples don't have native kdbus implementations in the works already. That's the risk you take when you eschew the "standard" libraries. Further, the primary reason that developers deviate from the norm is (you guessed it!) performance. The proxy is going to kill (or at least be assumed to kill) that advantage, putting even more pressure on these deviant applications to provide native kdbus versions."
B: Please tell me how it can be exploited since I don't know any better even though I'm trying to force this on everyone
B: All of this is built on the assumption that you can trust UIDs and I can't imagine why you'd want to talk to another UID's bus
A: If you assume this, you can't be sure that user space won't violate it in the future. The credential metadata is apparently superfluous... but I guess we'll have to allow the credential faking because dbus1

Basically, it comes down to the kdbus crowd not understanding security issues very well but wanting to move dbus1 support to kdbus to, again, continue the embrace/extend/extinguish mindset... and everyone just drops it despite the security concerns. Hey, anything for the cause, right? Why let potentially easily exploitable code get in the way?
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1694

PostPosted: Tue Jul 14, 2015 3:20 am    Post subject: Reply with quote

Quote:
Interesting how that thread just died. Does no one care?


First off, you can't say the thread is necessarily dead yet, as it's historically shown that during weekends, the kdbus threads stall out and pick up during the regular work week. (This trend has been seen numerous times in that all messages stop during weekend times and pick up during the work week).

Hate to say it, but this is a good example of a reason why I may be pushed away from linux if/when kdbus/sysd becomes manditory.
Back to top
View user's profile Send private message
gwr
Apprentice
Apprentice


Joined: 19 Nov 2014
Posts: 194

PostPosted: Tue Jul 14, 2015 3:37 pm    Post subject: Reply with quote

saellaven wrote:

Basically, it comes down to the kdbus crowd not understanding security issues very well but wanting to move dbus1 support to kdbus to, again, continue the embrace/extend/extinguish mindset... and everyone just drops it despite the security concerns. Hey, anything for the cause, right? Why let potentially easily exploitable code get in the way?


This is putting (possible) financial consideration above security. That's mind-boggling to me, particularly because it's happening right out in the open.
Back to top
View user's profile Send private message
saellaven
Guru
Guru


Joined: 23 Jul 2006
Posts: 494

PostPosted: Tue Jul 14, 2015 5:51 pm    Post subject: Reply with quote

gwr wrote:
saellaven wrote:

Basically, it comes down to the kdbus crowd not understanding security issues very well but wanting to move dbus1 support to kdbus to, again, continue the embrace/extend/extinguish mindset... and everyone just drops it despite the security concerns. Hey, anything for the cause, right? Why let potentially easily exploitable code get in the way?


This is putting (possible) financial consideration above security. That's mind-boggling to me, particularly because it's happening right out in the open.


That's been RedHat's angle all along. It's all about creating a vendor lock-in, where they are the source of every key part of your system (by means of having virtually every systemd and related developer on their payroll) and, thus, you have to go to them for support... and through the process of getting other distros to join in for "ease of release maintenance," basically every systemd using distro will just become a clone of RedHat with the serial numbers filed off and a few tweaks made so they can claim they aren't.

Down the road, when the exploits start happening, the NSA, RedHat, etc will all claim that they had this discussion in public but that they all decided "nothing could be done about it" so they just had to hope for the best.

And therein lies more proof that of the lie that systemd is more secure, technologically better, etc. Early on, a good chunk of us here in the Gentoo forums started pointing out the flawed logic, arrogance, security concerns, etc of the one true program to rule us all and our concerns consistently get ignored. I'm sad to see a couple systemd sycophants just got re-elected to the Gentoo Council, where they've already used their influence to push systemd's shortcomings onto our distribution in an attempt to make openrc weaker to make systemd look better than it really is.
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1382

PostPosted: Tue Jul 14, 2015 9:39 pm    Post subject: Reply with quote

saellaven wrote:
And therein lies more proof that of the lie that systemd is more secure, technologically better, etc.
The aspect of systemd that's boogled my mind more than anything is how anyone would ever want that bloated sack of desktop-centric crap, just sitting there begging for exploits, on a server OS like RHEL. Mind boggling. I've read several things were people argue that systemd was designed for servers and not desktops, and I find those arguments patently insane. Redhat is clearly pushing systemd, kdbus etc for business reasons in spite of how horrific an idea it is for a server OS, and a lot of folks are covering that up with a bunch of spin.
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1694

PostPosted: Tue Jul 14, 2015 11:05 pm    Post subject: Reply with quote

The fun question is, do we go ahead make a small program showing of the known (sysd devs already stated they knew of this exploit) credential-faking exploit in dbus?
Back to top
View user's profile Send private message
saellaven
Guru
Guru


Joined: 23 Jul 2006
Posts: 494

PostPosted: Wed Jul 15, 2015 1:47 am    Post subject: Reply with quote

ct85711 wrote:
The fun question is, do we go ahead make a small program showing of the known (sysd devs already stated they knew of this exploit) credential-faking exploit in dbus?


someone will... whether it's benign or not is another question. At the end of the day, your security model can't be based around "well, we just hope people won't do that." It's not like this is even a missed buffer overflow, it's insecure intentionally by design at this point. If they're going to go through the trouble of making a new interface, wouldn't it make sense to cut ties with a legacy interface that is known to be exploitable rather than to bake it in even deeper? Meanwhile, they are tying everything together using this totally insecure IPC mechanism, replacing a ton of well tested small applications to tie them together under the same roof, and releasing alpha software that isn't even feature stable as production code.

What could possibly go wrong?
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3381

PostPosted: Thu Jul 16, 2015 12:43 am    Post subject: Reply with quote

saellaven wrote:

What could possibly go wrong?


Well if something goes wrong, it's OBVIOUSLY the fault of that legacy Unix stuff, adn that means that we all need to double-down on systemd. Get those Slackers and Gentooers to adopt the One True Way. Fold more services and functions into systemd. That's the way forward. Really. Trust me.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
roki942
Apprentice
Apprentice


Joined: 18 Apr 2005
Posts: 284
Location: Seattle

PostPosted: Thu Jul 16, 2015 8:55 am    Post subject: Reply with quote

depontius wrote:
saellaven wrote:

What could possibly go wrong?


Well if something goes wrong, it's OBVIOUSLY the fault of that legacy Unix stuff, adn that means that we all need to double-down on systemd. Get those Slackers and Gentooers to adopt the One True Way. Fold more services and functions into systemd. That's the way forward. Really. Trust me.

And Global Warming makes the swampland they're selling an outstanding investment for our grand kids! :lol:
Back to top
View user's profile Send private message
Yamakuzure
Advocate
Advocate


Joined: 21 Jun 2006
Posts: 2273
Location: Bardowick, Germany

PostPosted: Thu Jul 16, 2015 10:16 am    Post subject: Reply with quote

Naib wrote:
popcorn time.

An NSA employee has waded into the mess that is KDBUS

http://lkml.iu.edu/hypermail/linux/kernel/1507.1/01758.html

It appears KDBUS has the ability to fake credentials because a solution for all the userland DBUS applications had to be found :)
I'd like to read all those, but http://lkml.iu.edu/hypermail/ is emtpy. (and all links go 404)
_________________
Important German:
  1. "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
  2. "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3793
Location: Dallas area

PostPosted: Thu Jul 16, 2015 1:06 pm    Post subject: Reply with quote

Links to hypermail have been messed up for a couple of days.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
saellaven
Guru
Guru


Joined: 23 Jul 2006
Posts: 494

PostPosted: Fri Jul 17, 2015 12:41 am    Post subject: Reply with quote

you can read the thread here

http://thread.gmane.org/gmane.linux.kernel/1992832
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Fri Jul 17, 2015 7:45 am    Post subject: Reply with quote

I quite liked this one:
Hellwig wrote:
This whole argument of we did something stupid in userspace long ago, and
now need to move it to kernelspace is not very helpful.

That's effectively a description of kdbus entire; trying to move into kernel some utterly shit ideas from userland, all the while pretending they weren't a pile of turd in the first place.

That it's still ongoing, gives the lie to "kernel developers are always focussed on the best technical result", as anyone with real experience and half a brain already knows it's a massive dud.

Doesn't bode well for the future of Linux without Torvalds, especially if Greg K-H is involved in any way, shape or form. (viz: more bulshytt from that purveyor of "quality" bulshytt.)
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3793
Location: Dallas area

PostPosted: Fri Jul 17, 2015 9:25 am    Post subject: Reply with quote

steveL wrote:
Doesn't bode well for the future of Linux without Torvalds, especially if Greg K-H is involved in any way, shape or form. (viz: more bulshytt from that purveyor of "quality" bulshytt.)


Indeed, the whole we can't change the inside of the code and leave the interface (API/ABi) alone is complete and utter BS.

And quite frankly their attitude and lies are reasons for not having (k)dbus in the kernel.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2, 3 ... 20, 21, 22 ... 25, 26, 27  Next
Page 21 of 27

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum