Hi, Jacob Appelbaum wrote (22 Jul 2014 08:34:59 GMT) : > On 7/21/14, intrigeri <[email protected]> wrote: >> Jacob Appelbaum wrote (21 Jul 2014 19:54:57 GMT) : >>> Is that true? Isn't blacklisting them as simple as adding a few lines >>> to /etc/modprobe.d/blacklist.conf? >> >> Right. Which is not much easier than maintaining a text file with >> a list of module names, and writing a ~10-lines build-time hook that >> runs find -delete on these names, and then runs update-initramfs. >> If we prefer to remove modules entirely, I can do that.
> Sounds reasonable. OK, glad we found an agreement :) Jurre, what do you think? Does the general plan (starting with blacklisting, then removing all of the blacklisted modules but some) make sense to you? If so, please close #7575, and either add the plan to the blueprint, or ask me to do it. >>> Is the right place to put things in /etc/modprobe.d/blacklist.conf >>> as I think? >> >> I think we'll want to use a less generic name, such as >> tails-blacklist.conf. >> > The reason I suggested blacklist.conf is that it already exists. If > you want to create a different file, it certainly won't make sense to > send it directly to Debian; won't it remain a Tails delta? That file only exists on Squeeze: it was removed in udev 175-1. The filename that'll be used on Debian probably depends on the package we want to sneak it into. Also, it's probably a good idea to have the blacklist split into smaller, per-topic files. E.g. both Fedora and Ubuntu currently ship /etc/modprobe.d/blacklist-rare-network.conf. On Trusty, it's provided by the kmod package: http://packages.ubuntu.com/trusty/i386/kmod/filelist It would be good to start a discussion about it with the Debian security team and the kmod maintainers. Wrt. the content and process, I suggest proposing them to take Ubuntu's rare network protocols blacklist as-is, to start with. I hope this shouldn't be to hard to have accepted, assuming we provide a good rationale, e.g. short history of security holes in these modules, explanation why it's not used much, and feedback from Fedora/Ubuntu developers (ask e.g. Kees and John Johansen). It may require a patch against the Jessie release notes, to smooth things a bit, though. Jake, want to initiate this discussion? Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
