Date: Thu, 16 Feb 2023 09:28:38 +0100 From: Gordon Bergling <gbe@freebsd.org> To: Colin Percival <cperciva@tarsnap.com> Cc: freebsd-arch@freebsd.org Subject: Re: RFC: Removing WITHOUT_CAPSICUM and WITHOUT_CASPER from 14.x Message-ID: <Y%2B3pNgo8dsFjnTvr@lion.ttyv0.de> In-Reply-To: <01000186589237d9-6c480554-3d01-405a-9f7a-81e96ae2a395-000000@email.amazonses.com> References: <01000186589237d9-6c480554-3d01-405a-9f7a-81e96ae2a395-000000@email.amazonses.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--muXi3RvwTHNSc94g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi Colin,
On Thu, Feb 16, 2023 at 04:53:43AM +0000, Colin Percival wrote:
> Hi FreeBSD architects,
>=20
> I'd like to remove WITHOUT_CAPSICUM and WITHOUT_CASPER for FreeBSD 14.x.
>=20
> The rationale for this is threefold:
>=20
> 1. They doesn't serve any useful purpose and merely weakens security;
>=20
> 2. They're an anomaly among WITH/WITHOUT options -- most WITHOUT_* options
> take the form "don't build/install <components>" rather than having
> effects across the entire tree.
>=20
> 3. They're a pain for release engineering, because approximately nobody e=
ver
> tests FreeBSD with WITHOUT_CAPSICUM or WITHOUT_CASPER set, but they're the
> sort of option which can easily break the build due to having affects all
> over the tree.
>=20
> If nobody objects, my plan is to get rid of the WITHOUT_ build options fi=
rst
> and leave MK_{CAPSICUM,CASPER} set unconditionally to "yes"; then sweep t=
he
> tree (mostly a matter of running unifdef) after 14.x is branched.
I would think that this a good idea, besides from the release engineering p=
oint
of view I can't think about a business case where security measures should =
be
disabled.
--Gordon
--muXi3RvwTHNSc94g
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQGTBAEBCgB9FiEEYbWI0KY5X7yH/Fy4OQX2V8rP09wFAmPt6SxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYx
QjU4OEQwQTYzOTVGQkM4N0ZDNUNCODM5MDVGNjU3Q0FDRkQzREMACgkQOQX2V8rP
09x8HggAtS99Oxwq+aJc7xbyFWPR12QaSzNU+ZHj0XcE/+pcsSP838lzjYJovlhO
36lRTz973HHfpNaoRc/gWADWiyNrqRxoqKBUvBK36UmwBLlpW5I65yaoXlIwg4HC
JoRmGs8EqPV6+ENcfmc+G2ueoKFeBN/D3o0+OairSaYpqZ9ram9ezeghnowE0Db2
XYdUb2BhGqdyzZdapKfUFGLNmrVJmRVj4ibm1Cs4il+H/MZjfTV+F5HQjPJuYOzG
hYt3juaLXuagwH6nqshmOz7nNmSu6cMcNFrZTpRwFqopwy13tkwLReLk9vH+j3iE
gIgGrPAZdVdwCSEd5e5C83024KNcQQ==
=HqYv
-----END PGP SIGNATURE-----
--muXi3RvwTHNSc94g--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Y%2B3pNgo8dsFjnTvr>