Announcement

Collapse
No announcement yet.

WireGuard Could Be Mainlined Before Christmas

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by HyperDrive View Post
    Shit. --- Maybe Linus rules.

    Comment


    • #22
      Originally posted by k1e0x View Post
      What I'm asking is why it needs to be an in tree module? it seems like something... more high level.
      I don't understand why you think "something more high level" should be kept in a separate repository.
      Maybe you think "out of tree" means cross-platform like ZFS, but it's not the case.
      Out-of-tree is just "not in the kernel source repository". Many out-of-tree modules are Linux-specific kernel modules.

      If you think something is "more high level" then you should want it to stay in userspace, I think.

      That said, the Wireguard kernel module is not really "high level". It's not compatible with non-Linux kernels. It also does not work on its own, similarly to the kernel firewall and also SELinux/AppArmor it needs a userspace companion application that loads the configuration and does basic housekeeping (usually shipped in a "wireguard-tools" package in distros)

      There are Wireguard "high level" or "abstracted" userspace-only VPN server applications (which are what you think a VPN server should be) that don't need this kernel module to work.

      That is how you can use Wireguard on BSD or Mac or Windows or Android for example.

      The Wireguard kernel module is for high-performance applications like VPN server appliances, and if other OS/kernels want to host high-performance Wireguard servers someone should write a kernel module/driver for them specifically.
      Last edited by starshipeleven; 11-28-2019, 02:57 AM.

      Comment


      • #23
        Originally posted by nuetzel View Post
        Shit. --- Maybe Linus rules.
        Over the networking subsystem maintainer? Don't get your hopes up. I don't remember ever seeing Linus override a decision by David Miller. Let's face it, WireGuard in the kernel is really nice to have, but it's not a priority. Userspace implementations work fine, albeit suboptimally.

        Comment


        • #24
          Originally posted by mbello View Post
          Ok k1e0x so apparently you do not know what "in-tree" means.

          Once wireguard is accepted in the kernel code tree it becomes an official piece of code that has been reviewed and is maintained by the kernel dev team. Today, wireguard is a piece of code we load on our kernels that is maintained by a dude called Jason. Jason is a great guy and all that, but if you have ever dealt with enterprise IT environments you will know the huge difference.

          Now, being in tree does not mean it must be in your kernel. You will still be able to compile your kernel without any wireguard code or even compile wireguard as a module.
          I've dealt with Enterprise IT environments for nearly 30 years. Why is Jason worse than Greg K-H? The Linux kernel team doesn't even recognize security bugs as different than regular bugs and does not file CVE's for them (for admittedly good reason).

          I'm trying to get you to think here that just because something is "in tree, in linux" does not mean it's secure, nor does it mean it's well maintained or good.. that isn't the measure of success. Plenty of software is secure, well maintained and is perfectly fine out of tree. grsecurity is a good example. Like it or hate it, it's been maintained out of tree for.. what? almost two decades now?

          And you know.. I like it I think this is all good. I just think there is a lot of zealotry here. It doesn't really need to be in kernel and Linux itself isn't really even that fast on the network comparatively to operating systems designed for it.
          Last edited by k1e0x; 11-29-2019, 04:49 PM.

          Comment


          • #25
            Originally posted by k1e0x View Post

            I understand all those points and all of them are good and fine. (except for the security one, that makes no sense.. only the kernel has "secure code"? what is that a joke?) A kernel module makes sense from a performance aspect. What I'm asking is why it needs to be an in tree module? it seems like something... more high level. I guess I'm not really a fan of daemons being in the kernel.. I don't think we need mail servers and web servers in the kernel.
            If you had used Wireguard before you would understand. It's more similar to a hardware interface than to any existing VPN software.

            Comment


            • #26
              Originally posted by k1e0x View Post
              I'm trying to get you to think here
              I'm still waiting for an answer on why should it stay out-of-tree, because so far you only posted your "gut feelings", not a proper answer.

              Linux stuff is usually in-tree and only bad hacks and license conflicts are left out-of-tree. Call it tradition if you want, but that's what is expected.

              It doesn't really need to be in kernel and Linux itself isn't really even that fast on the network comparatively to operating systems designed for it.
              "operating systems designed for it [network performance]" have really little to do with most VPN performance as the VPN application is running in userspace anyway, but OK.

              Comment

              Working...
              X