| 1 |
On 07/20/2016 12:13 PM, NP-Hardass wrote: |
| 2 |
> This is the first draft of a news item describing a packaging change for |
| 3 |
> OpenAFS so that we no longer require the DEBUG_RODATA be turned off. |
| 4 |
> Given the security implications of the previous setting of having |
| 5 |
> CONFIG_DEBUG_RODATA=n, we thought it prudent to ensure that OpenAFS |
| 6 |
> users get notice of the change in a manner that they are not likely to |
| 7 |
> miss (unlike a message in a phase that can be missed/hidden/squelched). |
| 8 |
> |
| 9 |
> |
| 10 |
> Title: OpenAFS no longer needs kernel option DEBUG_RODATA |
| 11 |
> Author: NP-Hardass <NP-Hardass@g.o> |
| 12 |
> Author: Andrew Savchenko <bircoph@g.o> |
| 13 |
> Content-Type: text/plain |
| 14 |
> Posted: 2016-07-23 |
| 15 |
> Revision: 1 |
| 16 |
> News-Item-Format: 1.0 |
| 17 |
> Display-If-Installed: <=net-fs/openafs-kernel-1.6.18.2 |
| 18 |
> Display-If-Keyword: amd64 |
| 19 |
> Display-If-Keyword: ~amd64-linux |
| 20 |
> Display-If-Keyword: ~sparc |
| 21 |
> Display-If-Keyword: x86 |
| 22 |
> Display-If-Keyword: ~x86-linux |
| 23 |
> |
| 24 |
> As a result of bug #127084 [1], it was determined that OpenAFS's kernel |
| 25 |
> module required that the kernel's data structures be read-write |
| 26 |
> (CONFIG_DEBUG_RODATA=n). Upon reviewing the latest version of OpenAFS |
| 27 |
> with Linux kernels 3.4-4.4, it has been determined that this condition |
| 28 |
> is no longer necessary to ensure that OpenAFS builds and loads into the |
| 29 |
> kernel. |
| 30 |
|
| 31 |
The second sentence reads awkwardly to me. Was this recent discovery a |
| 32 |
result of OpenAFS changes, or from a re-audit of the source? |
| 33 |
|
| 34 |
If it's the former, I'd use something like: |
| 35 |
As of openafs-1.6.18.2, it is no longer necessary to disable |
| 36 |
CONFIG_DEBUG_RODATA for the OpenAFS module to build and be loaded by the |
| 37 |
kernel. |
| 38 |
|
| 39 |
If the ebuild doesn't block on kernels < 3.4, of course warn about that |
| 40 |
as well. |
| 41 |
|
| 42 |
For the latter it is okay, but still a bit akwardly worded. |
| 43 |
|
| 44 |
> Starting with net-fs/openafs-kernel-1.6.18.2, this condition is no longer |
| 45 |
> forced in the ebuild. Considering the security implications of having |
| 46 |
> CONFIG_DEBUG_RODATA turned off, it is highly advised that you adjust your |
| 47 |
> kernel config accordingly. Please note that the default setting for |
| 48 |
> CONFIG_DEBUG_RODATA is "y" and unless you have another reason for keeping |
| 49 |
> it disabled, we highly recommend that you re-enable CONFIG_DEBUG_RODATA. |
| 50 |
> |
| 51 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=127084 |
| 52 |
|
| 53 |
|
| 54 |
-- |
| 55 |
-Austin |
| 56 |
GPG: 00B3 2957 B94B F3E1 |
Archives