From owner-freebsd-arch  Tue Apr  9 13: 6:48 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from grant.org (grant.org [206.190.164.98])
	by hub.freebsd.org (Postfix) with ESMTP id 3F35737B404
	for <freebsd-arch@FreeBSD.ORG>; Tue,  9 Apr 2002 13:06:37 -0700 (PDT)
Received: (from devon@localhost)
	by grant.org (8.11.6/8.11.6) id g39K6Vc83785;
	Tue, 9 Apr 2002 16:06:31 -0400 (EDT)
	(envelope-from devon)
Date: Tue, 9 Apr 2002 16:06:31 -0400 (EDT)
Message-Id: <200204092006.g39K6Vc83785@grant.org>
From: FreeBSD@Jovi.Net
To: freebsd-arch@FreeBSD.ORG
In-reply-to: <200204091802.g39I2tk39958@freefall.freebsd.org>
	(nsayer@FreeBSD.org)
Subject: Re: kern/33904: secure mode bug
References:  <200204091802.g39I2tk39958@freefall.freebsd.org>
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Bug is in the code.
Perpetuated by policy error.
Silent DWIM/failure is never acceptable policy in any API.

Suggest this kludge be documented as a temporary security measure
with a specific termination date, e.g. Monday 6 February 2006
to give app writers four years to fix their code
after which the emergency broken kernel
can be restored to normal.

		Cheers
			--Devon
	 /"\
	 \ /	 ASCII Ribbon Campaign
	  X	  Help Cure HTML Mail
	 / \

PS: I do not advocate any specific solution to the current defect,
there are many choices and I'm sure I haven't thought of them all,
here's one:  Accept small changes, reject large ones.  Giving the
caller half a time change is like giving the mom half a baby.
Apps can learn to ask for small time changes.

Some guiding principles:
* API quality is paramount
* Silent failure is never ok
* Silent DWIM is even worse
* necessity is not divinity (repent for we are all kludgers)

Most C coders ignore error status anyway,
maybe a clean UNIX system is a lost cause,
still no excuse for the current DWIM hack,
pure poison to allow UI kludges in the API,
blurring the concept of success or failure.

Date: Tue, 9 Apr 2002 11:02:55 -0700 (PDT)
From: <nsayer@FreeBSD.org>

Synopsis: secure mode bug

State-Changed-From-To: analyzed->feedback
State-Changed-By: nsayer
State-Changed-When: Tue Apr 9 11:01:58 PDT 2002
State-Changed-Why:
This is not a problem with the code, but rather the documentation.
I've asked for help in getting the man page fixed, but not heard
anything back.


http://www.freebsd.org/cgi/query-pr.cgi?pr=33904

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message