[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Raisin, was Critique of the Xen Security Process

On Wed, 11 Nov 2015, Ian Campbell wrote:
> On Mon, 2015-11-09 at 15:48 -0600, Doug Goldstein wrote:
> > I'll echo this sentiment as well. Most distro packagers will dislike
> > this and need to work around some of this behavior in their respective
> > distros.
> This is something we have been working upstream to address as well. As it
> stands I believe everything which the tools might download can be
> redirected to instead an existing component (via one of the --with-system-
> foo configuration options) or disabled (via a --disable-foo configure
> option). So I think now the current state is that there aren't
> "workarounds" but rather "supported ways to disable".
> The big outstanding issue is the stubdom build, the distro I care about
> most (Debian) simply doesn't build these (for reasons above and beyond the
> downloading).

Yes indeed. I have been tempted to disable stubdoms in Raisin until they
are properly integrated in it.

> >  Project Raisin is aiming to help with this
> Indeed, and it might also allow us to make some of the above options the
> default in the future.
> Maybe in the meantime perhaps a ./configure --ensure-offline or --disable-
> downloads which:
>  * either disables stubdoms automatically or checks you've passed --
>    disable-stubdom as well
>  * either disables all the other things which might be cloned or requires
>    the corresponding --with-system-foo=, or has a guess at a default system
>    version
>  * sets FETCHER to /bin/false
> would be useful? (essentially as a guard against new options being required
> to turn stuff off).
> >  but it doesn't seem
> > to have a lot of community effort behind it and it too attempts to
> > install dependencies on my machine and wants to be run with sudo.
> I believe it has a mode where it simply checks for dependencies and tells
> you what is required and thereby avoids the need for sudo, but I'm not
> sure.

Yes, that is correct. Raisin won't try to use sudo before asking the
user first. That is the expected behaviour, if it doesn't work that way
is a bug.

Moreover I would be happy to introduce signature checks on git clones
and downloads in Raisin.
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.