Hacker News new | ask | show | jobs
by craftyguy 2609 days ago
> It's a bit of a shame that Librem Tunnel doesn't use WireGuard, though I imagine they'll switch once it's in mainline.

It's a bit of a shame that WireGuard still requires out of tree components to work.. I'm rooting for it to get accepted/merged, but until it does it just becomes a greater risk to build a business off of it.
1 comments
cyphar 2608 days ago
It's in the process of being merged into net-next and mainline right now[1] and most of the hangups are around the new crypto library that WireGuard uses[2].

But honestly though, the risk is identical to any other kernel module -- the author and future subsystem maintainer ensures it builds and works with all new and old kernels, and releases snapshots very regularly. Almost all distributions have packages for WireGuard which are automatically rebuilt with new kernel releases.

There are arguments against using it because it's still (on paper) pre-1.0 software but given it's had fairly widespread use for the past 3 years and no security nightmares it's shown to be quite a bit more secure than

[1]: https://marc.info/?l=linux-netdev&m=155323912319537&w=2 [2]: https://lwn.net/Articles/770750/

link
craftyguy 2608 days ago
> the risk is identical to any other kernel module

Nope, it's not identical. There's a forcing function (e.g. Linus) to help motivate maintainers to fix their crap in the kernel tree if it breaks. That forcing function does not exist for out of tree patches.

link
cyphar 2607 days ago
If we were talking about the out-of-tree VirtualBox drivers I would agree with you. But we're not -- WireGuard has proven itself to be incredibly solid for the past 3 years and supports all kernels since 3.10 (with each commit getting tested against all of those kernels).

To be honest, that is far more stringent requirements than most subsystems in the Linux tree. Being in-tree is better for a variety of reasons, but just because something is in-tree doesn't make it significantly more stable or safe (I can think of several counter-examples where Linus hasn't motivated maintainers to fix mistakes and breaking changes).

link