Change all references from whitelist to allowlist #1054
Conversation
| @@ -214,9 +214,9 @@ Runtimes MAY attach the container process to additional cgroup controllers beyon | |||
| } | |||
| ``` | |||
|
|
|||
| ### <a name="configLinuxDeviceWhitelist" />Device whitelist | |||
There was a problem hiding this comment.
Since "whitelist" implies a deny-by-default configuration (with "blacklist" implying the reverse), we should add some text to clarify that this is the case. At least to my ear, "allowlist" doesn't have that implication (at least not as apparently as "whitelist").
There was a problem hiding this comment.
I should've better clarified my point here -- the title "device allowlist" is totally fine (and I prefer it to "allowed device list"). What I was suggesting is to add a single sentence which says something like:
The allow-list MUST have a default deny-all policy, meaning that if it is omitted no device access is permitted.
This would not be a change in behaviour (since that is how all implementations have worked and is technically already required by the term "whitelist") but instead just a clarification.
|
@giuseppe Indeed. In particular, the text on pseudoterminals should also be revised to use "ptmx" and "pty" or something like that. There was a twitter thread about this a few days ago. |
|
Well allowlist and denylist was the name referenced in blog above, which is why I went with it. I am fine with picking some other name or just adding clarification data. |
rhatdan
force-pushed
the
allowlist
branch
2 times, most recently
from
9b17daf to
a995de8
Compare
I've performed the same change in crun after seeing that discussion :-) my first thought was for using |
thanks. LGTM |
|
@cyphar @thaJeztah PTAL |
specs-go/config.go
Outdated
| @@ -354,7 +354,8 @@ type LinuxRdma struct { | |||
|
|
|||
| // LinuxResources has container runtime resource constraints | |||
| type LinuxResources struct { | |||
| // Devices configures the device whitelist. | |||
| // Devices configures the only devices allowed to be used within | |||
| // the container. | |||
There was a problem hiding this comment.
s/whitelist/allowlist/ reads better IMHO.
We want to move to more enclusive names/terms in our code, and remove problematic language from code and comments. We want to change reference for whitelist/blacklist to allowlist/denylist. https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language We also want to fix slave references to pty for pseutoterminals. We will change the slave refererences to whatever the kernel specifies, once the kernel fixes it's references. Co-authored-by: Sebastiaan van Stijn <[email protected]> Signed-off-by: Daniel J Walsh <[email protected]>
|
LGTM |
1 similar comment
|
LGTM |
We want to move to more enclusive names/terms in our code, and remove problematic language
from code and comments.
We want to change reference for whitelist/blacklist to allowlist/denylist.
https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language
Signed-off-by: Daniel J Walsh [email protected]