[PATCH 0/4] import libcap from packages feed

Petr Štetiar ynezz at true.cz
Fri Mar 12 08:50:20 GMT 2021


Stijn Tintel <stijn at linux-ipv6.be> [2021-03-12 01:25:24]:

Hi,

> Having libcap in OpenWrt base allows us to enable libcap support in
> other packages in base.

there is same functionality available through procd already so essentialy
you're throwing away that effort, increasing flash space usage etc.

> In lldpd, this would allow the monitor process to drop its privileges
> instead of running as root, improving security. It will also allow us to
> drop our patch to disable libcap.

I assume, that you can do it even better with procd's seccomp/jails and
likely confine the master process as well.

> I suspect some people might counter this by saying lldpd belongs in the
> packages feed; 

IMO it belongs to packages feed, because currently it's optional package.  In
other words, it's not included in any of the images by default.

> I strongly disagree as imo LLDP is an essential service for any network
> device, and especially switches. Even the cheapest managed switches support
> LLDP for more than 5 years already.

If it's that essential, why it's not enabled and shipped by default? I assume
it's because some folks would complain, that LLDP is use case specific, not
everybody would like to have another network exposed service running by
default, not everybody needs LLDP by default in RX/TX mode as TX mode might be
enough etc.

Cheers,

Petr



More information about the openwrt-devel mailing list