Re: Is this mail list dead?

[Pedro Rosa <Pedro.Rosa@ksu.ru>]

Rik van Riel wrote:

> 
> If the C2 stuff isn't too intrusive, maybe we could even
> try to convince Linus to get the (few?) kernel parts of it
> into the kernel...

I believe this is the point of what  we SHOULDN'T do. Enforcing such 
things like C2 into the kernel from start, can give a huge cost in 
performance and may hinder other security schemes. C2 is one and only 
one of the possible security schemes one may consider for his tasks. 
And, by itself, C2 is quite costy to be implemented (time, performance, 
stability and money are the factors). Frankly, I would apply C2 only and 
exclusively in a very few cases.

A C2 implementation should be something like how we see LIDS, FreeSWAN 
and other systems now - a patch. And give sysadmins/users the right to 
choose what they need.  Don't think that such thing becomes only 
valuable once Linus implements it as a main kernel feature. I do prefer 
its relative "marginalisation" as this will force people to concentrate 
their efforts in the specificities of the task. It is preferable to 
figth incompatibilities rather than security breaches. When a security 
tool becomes too broad for use and development, it will have a bigger 
chance to be attacked, broken or bugged.  Setting C2 at the level of the 
main kernel development will surely give ground to such danger. And then 
don't be admired that someone suddenly says "it's not a bug but a 
feature"...

> 
> 
> Rik
> --
> 
> 
Ektanoor

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/