Re: Why burnfree is off by default?

To: Joerg Schilling <schilling@fokus.fraunhofer.de>
Cc: matthias.andree@gmx.de, hidden@paradise.net.nz, cdwrite@other.debian.org
Subject: Re: Why burnfree is off by default?
From: Bill Davidsen <davidsen@tmr.com>
Date: Sun, 04 Dec 2005 22:31:10 -0500
Message-id: <[🔎] 4393B47E.303@tmr.com>
In-reply-to: <[🔎] 43918AED.nail41V2AJQB5@burner>
References: <18060687.1133299666363.JavaMail.root@cps2> <m3br03ypjd.fsf@merlin.emma.line.org> <20051130005922.GA27357@paradise.net.nz> <[🔎] m3y834v1x1.fsf@merlin.emma.line.org> <[🔎] 4390308E.nail35EA1C853@burner> <[🔎] m3oe3yl7ge.fsf@merlin.emma.line.org> <[🔎] 43918AED.nail41V2AJQB5@burner>

Joerg Schilling wrote:

Matthias Andree <matthias.andree@gmx.de> wrote:

Joerg Schilling <schilling@fokus.fraunhofer.de> writes:

Nowadays, where there is Burnproof, people complain about coasters because
they listen to incompetent people who tell others _not_ to run cdrecord 
in a way on Linux that allows cdrecord to lock in core and to raise priority.
As a result, people get coasters :-(

This needs to be differentiated a bit. Locking pages into memory and
requesting real-time scheduler properties are privileged operations, and
as such, it becomes a question of trust. Do I trust that the one-man
show Jörg Schilling gets every tiny bit right so that privileges (in
set-uid mode) are reliably dropped early enough, that there are no
backdoors someone could exploit to escalate his rights?

Cdrecord is now 10 years old. It did have 3 privillege problems so far and all
have been fixed in less than a day.

If Linux would offer similar stability as cdrecord and would be as trustworthy
as cdrecord, I could trust Linux.

Please tell me why people trust in something like Linux but don't do for
stable software like cdrecord?

That's easy, there is no alternative to trusting the O/S. Media writing programs can function without root access, although there are possible drawbacks (which in practice are rare). I have no problem trusting cdrecord because I can read the code, but if you didn't feel so strongly that Linux should be modified to make your life easy it seems possible to use capabilities to get the access which assures reliable operation.

The changes in Linux came because of a real security problem in the scsi command set, and because exploits were starting to appear the fix needed to be put in immediately. It wasn't done to piss you off! You brag that three problems in ten years were fixed in about a day, but you are offended that security bug in Linux was also fixed without delay. Why is a quick fix a virtue when you do it and an evil when Linux does it?

Your insistence on using SCSI numbers as the "official" solution is not helping, you put in support but added silly warning messages. And you might as well release the DVD code, every distro has some version of the capability, some are really hald-assed and give cdrecord a bad name. You've lost the battle, grow up and move on!

-- 
bill davidsen <davidsen@tmr.com>
  CTO TMR Associates, Inc
  Doing interesting things with small computers since 1979

Reply to:

Follow-Ups:
- Re: Why burnfree is off by default?
  - From: Joerg Schilling <schilling@fokus.fraunhofer.de>

References:
- Re: Why burnfree is off by default?
  - From: Matthias Andree <matthias.andree@gmx.de>
- Re: Why burnfree is off by default?
  - From: Joerg Schilling <schilling@fokus.fraunhofer.de>
- Re: Why burnfree is off by default?
  - From: Matthias Andree <matthias.andree@gmx.de>
- Re: Why burnfree is off by default?
  - From: Joerg Schilling <schilling@fokus.fraunhofer.de>

Prev by Date: Re: Why burnfree is off by default?
Next by Date: Re: Why burnfree is off by default?
Previous by thread: Re: Why burnfree is off by default?
Next by thread: Re: Why burnfree is off by default?
Index(es):
- Date
- Thread