I assume you mean "decreases security" by context. And in that case - purely from a security standpoint - generally speaking the answer is yes. This is why security can often be a PITA when you're trying to adopt new things and innovate, meanwhile by default security wants things that have been demonstrated to work well. It's a known catch-22.

Now, how I would be able to run it is a very open question and I do agree there are some ways that are more reasonable asks than others. But the present-day status quo of "company says suck eggs and you just have to deal with it" is not an acceptable final state.

From what I gather it seems like you could potentially create scenarios where TOCTOU is indeed a problem, but in considering the situations where it could come up I do feel like all my ideas are somewhat contrived in nature. And even when noodling on it I very much get the feeling that I return to my previous statement: consider what you're building. I think that the potential for TOCTOU could potentially compromise a hypervisor's security (i.e. letting an arbitrary number of user on a system make arbitrary io_uring calls) and even if I couldn't demonstrate how that could be weaponized I would avoid it. However, if you're writing an application that's going to do a read(2) or something, I don't see TOCTOU being a uniquely io_uring problem.

io_uring is effectively as "secure" as any other syscall unto itself. The issue is that the mechanism by which io_uring makes its syscalls as part of its submission/completion queues means that those underlying syscalls can't be filtered by seccomp. The real question is your security posture.

If you're writing a hypervisor that's intended to partition resources between underlying users in a secure fashion, the ability for io_uring to bypass seccomp is largely a non-starter. But if you own the machine and you just want to run an application on it (i.e. an HTTP server that uses io_uring for file/network io) you should largely be in the clear.

That said, while I don't condone it I can't say I'm surprised by it. It seems stoking divisions is a large part of the modern media landscape and all it takes is one person with the motive and the means.

Given the amount of government subsidy and regulation that exists in our markets I assume this, too, is a simply ESL error that can be fixed quickly?

Definitely a much better tax situation but also not one we would've been in if not for the TCJA, and we still have an exposed oblique (the removal of the domestic research exclusion) that could put us back in the same spot unless the software development as research section is removed.