Originally posted by HyperDrive
View Post
Announcement
Collapse
No announcement yet.
WireGuard Could Be Mainlined Before Christmas
Collapse
X
-
Originally posted by k1e0x View PostWhat I'm asking is why it needs to be an in tree module? it seems like something... more high level.
Maybe you think "out of tree" means cross-platform like ZFS, but it's not the case.
Out-of-tree is just "not in the kernel source repository". Many out-of-tree modules are Linux-specific kernel modules.
If you think something is "more high level" then you should want it to stay in userspace, I think.
That said, the Wireguard kernel module is not really "high level". It's not compatible with non-Linux kernels. It also does not work on its own, similarly to the kernel firewall and also SELinux/AppArmor it needs a userspace companion application that loads the configuration and does basic housekeeping (usually shipped in a "wireguard-tools" package in distros)
There are Wireguard "high level" or "abstracted" userspace-only VPN server applications (which are what you think a VPN server should be) that don't need this kernel module to work.
That is how you can use Wireguard on BSD or Mac or Windows or Android for example.
The Wireguard kernel module is for high-performance applications like VPN server appliances, and if other OS/kernels want to host high-performance Wireguard servers someone should write a kernel module/driver for them specifically.Last edited by starshipeleven; 28 November 2019, 02:57 AM.
- Likes 1
Comment
-
Originally posted by nuetzel View PostShit. --- Maybe Linus rules.
Comment
-
Originally posted by mbello View PostOk k1e0x so apparently you do not know what "in-tree" means.
Once wireguard is accepted in the kernel code tree it becomes an official piece of code that has been reviewed and is maintained by the kernel dev team. Today, wireguard is a piece of code we load on our kernels that is maintained by a dude called Jason. Jason is a great guy and all that, but if you have ever dealt with enterprise IT environments you will know the huge difference.
Now, being in tree does not mean it must be in your kernel. You will still be able to compile your kernel without any wireguard code or even compile wireguard as a module.
I'm trying to get you to think here that just because something is "in tree, in linux" does not mean it's secure, nor does it mean it's well maintained or good.. that isn't the measure of success. Plenty of software is secure, well maintained and is perfectly fine out of tree. grsecurity is a good example. Like it or hate it, it's been maintained out of tree for.. what? almost two decades now?
And you know.. I like it I think this is all good. I just think there is a lot of zealotry here. It doesn't really need to be in kernel and Linux itself isn't really even that fast on the network comparatively to operating systems designed for it.Last edited by k1e0x; 29 November 2019, 04:49 PM.
Comment
-
Originally posted by k1e0x View Post
I understand all those points and all of them are good and fine. (except for the security one, that makes no sense.. only the kernel has "secure code"? what is that a joke?) A kernel module makes sense from a performance aspect. What I'm asking is why it needs to be an in tree module? it seems like something... more high level. I guess I'm not really a fan of daemons being in the kernel.. I don't think we need mail servers and web servers in the kernel.
Comment
-
Originally posted by k1e0x View PostI'm trying to get you to think here
Linux stuff is usually in-tree and only bad hacks and license conflicts are left out-of-tree. Call it tradition if you want, but that's what is expected.
It doesn't really need to be in kernel and Linux itself isn't really even that fast on the network comparatively to operating systems designed for it.
Comment
Comment