I'm giving up on seccomp
Hal Murray
hmurray at megapathdsl.net
Thu Sep 3 01:20:13 UTC 2020
esr at thyrsus.com said:
>> I think you have jumped to an unreasonable conclusion by assuming that Go
>> makes seccomp unintestering. Are you going to rewrite OpenSSL in Go?
> No. There's an opennsl binding: ...
That's the whole point of my comment. OpenSSL is written in c. If there is a
typical buffer overrun bug in OpenSSL, seccomp would be as helpful for a Go
version of ntpd as it is for the current version.
If you want to claim your Go program has no buffer overruns, you can't call
out to big complicated libraries written in c. You would have to rewrite them
in Go.
--------
Re early-droproot
We should split enable-seccomp from drop root. Early drop root is good. Late
enable-seccomp is good.
--
These are my opinions. I hate spam.
More information about the devel
mailing list