1 |
On 07/20/2016 12:13 PM, NP-Hardass wrote: |
2 |
> This is the first draft of a news item describing a packaging change for |
3 |
> OpenAFS so that we no longer require the DEBUG_RODATA be turned off. |
4 |
> Given the security implications of the previous setting of having |
5 |
> CONFIG_DEBUG_RODATA=n, we thought it prudent to ensure that OpenAFS |
6 |
> users get notice of the change in a manner that they are not likely to |
7 |
> miss (unlike a message in a phase that can be missed/hidden/squelched). |
8 |
> |
9 |
> |
10 |
> Title: OpenAFS no longer needs kernel option DEBUG_RODATA |
11 |
> Author: NP-Hardass <NP-Hardass@g.o> |
12 |
> Author: Andrew Savchenko <bircoph@g.o> |
13 |
> Content-Type: text/plain |
14 |
> Posted: 2016-07-23 |
15 |
> Revision: 1 |
16 |
> News-Item-Format: 1.0 |
17 |
> Display-If-Installed: <=net-fs/openafs-kernel-1.6.18.2 |
18 |
> Display-If-Keyword: amd64 |
19 |
> Display-If-Keyword: ~amd64-linux |
20 |
> Display-If-Keyword: ~sparc |
21 |
> Display-If-Keyword: x86 |
22 |
> Display-If-Keyword: ~x86-linux |
23 |
> |
24 |
> As a result of bug #127084 [1], it was determined that OpenAFS's kernel |
25 |
> module required that the kernel's data structures be read-write |
26 |
> (CONFIG_DEBUG_RODATA=n). Upon reviewing the latest version of OpenAFS |
27 |
> with Linux kernels 3.4-4.4, it has been determined that this condition |
28 |
> is no longer necessary to ensure that OpenAFS builds and loads into the |
29 |
> kernel. |
30 |
|
31 |
The second sentence reads awkwardly to me. Was this recent discovery a |
32 |
result of OpenAFS changes, or from a re-audit of the source? |
33 |
|
34 |
If it's the former, I'd use something like: |
35 |
As of openafs-1.6.18.2, it is no longer necessary to disable |
36 |
CONFIG_DEBUG_RODATA for the OpenAFS module to build and be loaded by the |
37 |
kernel. |
38 |
|
39 |
If the ebuild doesn't block on kernels < 3.4, of course warn about that |
40 |
as well. |
41 |
|
42 |
For the latter it is okay, but still a bit akwardly worded. |
43 |
|
44 |
> Starting with net-fs/openafs-kernel-1.6.18.2, this condition is no longer |
45 |
> forced in the ebuild. Considering the security implications of having |
46 |
> CONFIG_DEBUG_RODATA turned off, it is highly advised that you adjust your |
47 |
> kernel config accordingly. Please note that the default setting for |
48 |
> CONFIG_DEBUG_RODATA is "y" and unless you have another reason for keeping |
49 |
> it disabled, we highly recommend that you re-enable CONFIG_DEBUG_RODATA. |
50 |
> |
51 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=127084 |
52 |
|
53 |
|
54 |
-- |
55 |
-Austin |
56 |
GPG: 00B3 2957 B94B F3E1 |