Re: The IPsec kernel problem
also sprach Andreas Schuldei <[EMAIL PROTECTED]> [2003.10.06.2211 +0200]: > > From glancing over the patch, it *also* replaces parts of the > > non IPsec i.e. standard IP stack. Maybe it provides the same > > functionality to the end user. It does *not* provide the same > > functionality to the developer. > > kernel developers dont use the debian source package as a base for > their work. Yes, and that's the problem. So I can't profit of their work, because I can't have the same base. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgpDgPgVpQqra.pgp Description: PGP signature
Re: The IPsec kernel problem
On Monday 06 October 2003 21:11, Andreas Schuldei wrote: > kernel developers dont use the debian source package as a base > for their work. I have in the past for writing device drivers. Admittedly none are in the mainstream kernel (afaik) but that is not the point. Tom -- ^__^| Tom Badran (oo)\__ | Imperial College (__)\ )\/\ | Department of Computing ||w || --- || ||| Using Debian SID pgp6Cfe8Ltnsb.pgp Description: signature
Re: The IPsec kernel problem
* martin f krafft ([EMAIL PROTECTED]) [031006 21:57]: > > The IPSEC stack does nothing unless you specify policies through > > PFKEY or NETLINK. In other words, it is disabled by default. > > From glancing over the patch, it *also* replaces parts of the non > IPsec i.e. standard IP stack. Maybe it provides the same > functionality to the end user. It does *not* provide the same > functionality to the developer. kernel developers dont use the debian source package as a base for their work.
Re: The IPsec kernel problem
also sprach Herbert Xu <[EMAIL PROTECTED]> [2003.10.03.1016 +0200]: > > I cannot disable IPsec at runtime as I cannot replace the IP stack > > at runtime, and it modifies the IP stack. Moreover, you state the > > The IPSEC stack does nothing unless you specify policies through > PFKEY or NETLINK. In other words, it is disabled by default. From glancing over the patch, it *also* replaces parts of the non IPsec i.e. standard IP stack. Maybe it provides the same functionality to the end user. It does *not* provide the same functionality to the developer. > > reason why you should not put IPsec in the kernel right there: > > "The presence of the patch should not prevent me from doing > > something that I would otherwise be able to do." Well, it does. > > It does not prevent you from doing anything with the *kernel > image* that you otherwise would be able to do. > > You argument fails even with the kernel source as the patch is > easily reversed. and if reversed, you loose the entire point of kernel-patch-debian -- security backports. Herbert, are you actually pretending to argue, or will simply slam every argument brought against you with a "fails this check, fails that check"? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgp8TjoMBXiPt.pgp Description: PGP signature
Re: The IPsec kernel problem
martin f krafft <[EMAIL PROTECTED]> wrote:
>
> * If it's a feature, can it be disabled/enabled at runtime?
>
>Sinec we're making generic kernels, this is a must. The presence
>of the patch should not prevent me from doing something that I would
>otherwise be able to do.
>
> I cannot disable IPsec at runtime as I cannot replace the IP stack
> at runtime, and it modifies the IP stack. Moreover, you state the
The IPSEC stack does nothing unless you specify policies through
PFKEY or NETLINK. In other words, it is disabled by default.
> reason why you should not put IPsec in the kernel right there: "The
> presence of the patch should not prevent me from doing something
> that I would otherwise be able to do." Well, it does.
It does not prevent you from doing anything with the *kernel image*
that you otherwise would be able to do.
You argument fails even with the kernel source as the patch is easily
reversed.
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: The IPsec kernel problem
also sprach Herbert Xu <[EMAIL PROTECTED]> [2003.10.03.0121 +0200]: > I have given you the reason for this many times already. Please > reread the thread on debian-devel carefully. This one post did in fact slip my eyes. In it, you mention some checks when it comes to patch inclusion. I have a particular problem with: * If it's a feature, can it be disabled/enabled at runtime? Sinec we're making generic kernels, this is a must. The presence of the patch should not prevent me from doing something that I would otherwise be able to do. I cannot disable IPsec at runtime as I cannot replace the IP stack at runtime, and it modifies the IP stack. Moreover, you state the reason why you should not put IPsec in the kernel right there: "The presence of the patch should not prevent me from doing something that I would otherwise be able to do." Well, it does. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgpj2vhMdpnhL.pgp Description: PGP signature
