upvote

points

by TacticalCoder11 hours ago |
comments
upvoteby yjftsjthsd-h11 hours ago|
next
[-]
> we're now into the "users installing our distro are getting hacked left and right" territory

Are we? Are users actually getting hacked, or have they theoretically been exposed to problems that could allow local privileged escalation if exploited but that nobody's seen used in the wild?

(Edit: To be clear, I'm skeptical but this isn't a completely rhetorical question. If there are actual reports of these vulns causing problems, that would strongly incentivize a stronger response.)

reply
upvoteby bombcar10 hours ago|
prev|
[-]
It used to be relatively standard even on the "big" distros to compile your own kernel if you needed something outside of the bog-standard. Modularization and all the related auto-detect auto-mod tools have resulted in most distros shipping a "works for almost everyone" kernel that has everything available as a module.

Perhaps we should tend toward the first.

reply
upvoteby yjftsjthsd-h10 hours ago|
parent|
[-]
It seems like a reasonable middle ground for most distros is to put things in kernel modules, but then package those modules into separate packages. If you don't need somedriver.ko, then you don't `apt install linux-driver-somedriver`; if you do need it, just install the package and it just works without needing to compile anything and you get automatic updates and everything.

For Gentoo, of course, "just recompile the kernel as desired" is more reasonable, though they have binary packages including for the kernel and I don't see why the same idea shouldn't work there.

reply
upvoteby Muromec9 hours ago|
parent|
next
[-]
>but then package those modules into separate packages. If you don't need somedriver.ko, then you don't `apt install linux-driver-somedriver

But I don't want to know what drivers I need and will need next. Tomorrow I could buy a different wifi module and then what? Spend 3 hours googling which rtl378326973268632aahaxhabt.ko to install? Thanks but no thanks.

reply
upvoteby patmorgan238 hours ago|
parent|
next
[-]
So why can't someone (probably the distro) build a utility that detects the hardware and installs the required kernal module?

We can have security and convenience.

reply
upvoteby bombcar5 hours ago|
parent|
next
[-]
That existed for a very short period of time before it became simpler to just ship everything all the time. I remember at least one distro booting with a single processor kernel and detecting that it could use an SMP kernel and did I want to pull it down?
reply
upvoteby johnny224 hours ago|
parent|
prev|
[-]
and how would it get that module without network access. I'd say for network drivers specifically, this is tough one.

It would work for various other drivers though.

reply
upvoteby bombcar3 hours ago|
parent|
[-]
The standard method is for the installer to have the needful and then it knows what packages to install to give you the network drivers you need going forward (shades of slipstreaming in all the network drivers I could find into W2K custom ISOs so I'd not need to find floppies).
reply
upvoteby tardedmeme8 hours ago|
parent|
prev|
[-]
On older versions of Windows you used to get popups saying new hardware is detected, would you like to install the driver now?
reply
upvoteby PunchyHamster8 hours ago|
parent|
prev|
[-]
That's in generally available distro a huge PITA.

You can do blacklists easy enough if you want to, just add few lines of text into /etc.

I'd also like option for whitelisting, like whitelisting every single NIC driver is harmless enough coz they just won't be loaded, but anything that can be loaded by non-root userspace action should have option to be only loaded if it is on whitelist.

Tho all that is easily doable by just changing userspace AFAIK

reply