On Thu, 2006-16-02 at 15:24 -0600, Les Mikesell wrote: > On Thu, 2006-02-16 at 15:07, Dave Jones wrote: > > > > There is a cisco vpn client for linux. Run that for work all the time. > > > > > > Check their web site for the software or ask you IT group for it. > > > > It uses a binary only kernel module that frequently causes problems > > judging by the number of reports I've seen in bugzilla tainted by it, > > which magically 'go away' when the user switches to using vpnc. > > > > One of the horrors of binary kernel modules is they don't keep up > > with the steady release of upstream kernels, so what might work > > fine on one release might break horribly in next weeks updates, > > sometimes in particularly drastic ways like memory corruption > > when then finds its way written out to disk. > > That's one way of thinking about it. The other is that one of > the horrors of running Linux is that every kernel release may > break previously used interfaces and force you to replace all > your tested modules. I will second that. If the binary module has a static API to connect with, and problems occur it is the part that changed that has failed not the part that didn't. If the API is not static, it is by choice of the developers to make it so. That is why Nvidia has wrappers for its binary modules, although the wrapper needs to be recompiled for every new kernel, the binary component does not. As far as I can tell "the horrors of binary kernel modules" may have some validity, but is mostly generic fear mongering. Not all binary modules are made equal, just as developers are not made equal. I personally have never had any corruption problems with the binary drivers from Nvidia, but that is the only binary component I currently use. Rather than promote fear, why not lobby to get the dbkm or dkbm what ever it is that will make dynamic binary kernel module system available. If developers have a static API to design there modules, there could be more drivers available. Some devices manufacturers have secrets they are legal bound to protect, that prohibit them from releasing source, and it is a fact of life. If you keep kicking the manufactures in the balls when they suggest a binary module, they are no more likely to cave in and give you the source, as they are to completely turn there back on you and not help you at all.