Date: Tue, 30 Dec 2014 06:32:13 +0300 From: Solar Designer <solar@...nwall.com> To: owl-users@...ts.openwall.com Subject: Owl future (was: owl-startup) On Mon, Dec 29, 2014 at 10:38:36PM +0300, (GalaxyMaster) wrote: > I have a feeling that Owl is currently stagnating Obviously it is. > since there are no active packagers Mostly not for that reason. In fact, that one may be a consequence of other reasons. There are people who could contribute stuff, but if we opened Owl up for contributions without close involvement from key Owl developers, the resulting distro would make little sense to me. > and that if we do not act in the nearest future the > effort required to recover and to bring Owl up-to-date would be > unjustified. In my opinion, we are approaching a point where it's just > much easier to take the best we have in our distribution and apply it on > top of a modern, mainstream one -- and my guess is that we won't lose > much. Maybe, this is what we should do after all. Let's look at this differently: what was the value of Owl so far? I think it was primarily in trying out and demonstrating to others some approaches, some of which have now been adopted by other systems (and some changes went upstream). I think the positive impact of this can be greater. Maybe some of us could actively contribute to other distros e.g. to make them SUID-less? For example, I think Alpine Linux may be a good distro to contribute to. Surely there are others. Maybe also some *BSDs. As to contributing to mainstream distros, I don't mind, but frankly I don't feel our userland security hardening enhancements are of as much value when mixed with a lot of other stuff in a distro like Fedora or Ubuntu. The value would probably be in demonstrating those approaches via the more popular mainstream distros, so the approaches could again be cherry-picked by some distro where there are not as many other "gaping holes" as in a mainstream one. For example, when Mandriva went to use our tcb, I think the value was in greater exposure of this approach for potential reuse where it's more helpful, and to a lesser extent in direct benefit to Mandriva users (where there are plenty of unrelated SUID root programs anyway). Having our approaches adopted by multiple distros also side-steps the issue of systemd. The distros may vary in this aspect. I am not suggesting that we maintain forks of other distros as Openwall projects. (galaxy@ might have implied that, for some specific distro.) Rather, I am suggesting that if some of us want to, and there are other distros that welcome such contributions, the individual Owl developers and users could contribute to those distros, and this sort of activity would make sense to me. As to Openwall's role in this, I am not sure. Finally, as to the future of Owl itself, we need to know why we'd be continuing to put effort into Owl. Do we have more new approaches to demo to others in this way, or would we be playing catch-up? I think it might be mostly the latter. There are things other hardened distros did and we didn't do yet, so we can merge those in and create a distro that is in some ways better overall. (In fact, this was the plan a couple of years ago, but we didn't proceed to execute on it much yet.) However, we would not demo much new in this way, except for the combination of what we already had and what others already had, and along with newer upstream software versions. Is demo'ing this combination worth the effort? Would it inspire others to do anything better? Is it worth the effort merely for actual use of it during the period that we'd be maintaining it and keeping it up-to-date? I think Owl is, and will be (until EOL'ed), one of Openwall's several projects (not "the main project"). There are other things I'd like to work on (as well or instead). So if Owl is primarily for its actual use while it's maintained, rather than for indirect positive impact on other projects, this means that personally I will want to limit my time spent on Owl and to spend more of my time on our other projects instead (including some future ones). I've been doing just that lately. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.