[Pkg-utopia-maintainers] Bug#1041552: HFS/HFS+ are insecure

[Diederik de Haas]

On Sunday, 27 August 2023 02:34:04 CEST Marco d'Itri wrote:
> So I propose this content for a file like
> /usr/lib/udev/rules.d/75-insecure-fs.rules:
> 
> # Do not automatically mount these file systems because their drivers are
> # marked as "orphan" or "odd fixes" in the kernel MAINTAINERS file and so

On Sunday, 23 July 2023 02:38:41 CEST Ben Hutchings wrote:
> I agree we should not have UDisks probing for any of the (many) kernel
> filesystems that aren't being actively maintained including responding
> to security issues.

While I agree that "orphan" does mean that it is NOT actively maintained, 
AFAICT the situation is a bit more blurry for "odd fixes".

Previously not knowing about that status, I looked up the commits where the 
status was set to "odd fixes" and found that for some the reason was that the 
maintainer didn't have the hardware to test it themselves.
I do not think that's the same as 'unmaintained'.

The main reason I looked into this was the "jffs2" entry and for that there was 
no reason given. But I know it is used in routers and SBCs and I saw recently 
a patch come by related to that, which was accepted so should be part of the 
6.6 kernel. Doing `gitk -- fs/jffs2/` also revealed that there were commits in 
6.5, 6.4 and 6.3 at which point I stopped investigating that as it was clear 
to me that it was anything but unmaintained.

Looking into MAINTAINERS, I also saw that `drivers/char/hw_random/` has the 
"Odd fixes" status...

I'm not sure if it would actually result in unbootable systems, but I do think 
a bit more care should be taken before blacklisting modules.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20230827/defc8ee7/attachment.sig>