[jggimi]

Thanks for posting the pledge() links. I've previously pledged a complex port. That it was possible for me to do so is a clear compliment to the simplicity of pledge().

---

If it seems like I'm in agreement with this decision to remove systrace(), I'm actually ambivalent.

I understand the need to remove it. I can agree with the valid reasons to do so. The Hairy Eyeball Project had been gone for more than a decade, and was only a repository of best guesses. The systrace() tool had been unmaintained except for obvious sustaining engineering requirements. There was a performance impact when using it, as it intervened to monitor every syscall.

I still liked the systrace.policy for ports. I could build new ports as a normal user, and not worry about attacks during build from any possible embedded malware, or from mistakes in build decisions made by application developers. (I never had either happen, but you never know.) I even used it last week for a new port, and it caught a common write to /usr during make fake. But systrace() wasn't truly necessary to catch that. I was building as a normal unprivileged user, and the target would have failed even without systrace(). And now, as I only develop ports on -current, it won't be possible for me to use it any longer.

The dpb(1) man page has a section on its ports build security model. It's interesting, because it describes the separation of authority between the various users that can be deployed. A build user only needs access to a very small set of directory structures. It does not need network connectivity; that's the responsibility of the fetch user. The log user records build logs, so the build user doesn't even need access to those structures. The dpb() model has me thinking how I will manage new port development without systrace().