From mboxrd@z Thu Jan 1 00:00:00 1970 From: Doug Goldstein Subject: Re: Raisin, was Critique of the Xen Security Process Date: Wed, 11 Nov 2015 10:24:23 -0600 Message-ID: <56436BB7.6060603@cardoe.com> References: <20151106172228.GA2335@work-mutt> <564114BA.8060206@cardoe.com> <1447235005.8556.8.camel@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0364304831259299340==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Stefano Stabellini , Ian Campbell Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============0364304831259299340== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="xQjPPQOpMnI4LBuLO87NvHHGB66pDPL0E" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xQjPPQOpMnI4LBuLO87NvHHGB66pDPL0E Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/15 6:33 AM, Stefano Stabellini wrote: > On Wed, 11 Nov 2015, Ian Campbell wrote: >> On Mon, 2015-11-09 at 15:48 -0600, Doug Goldstein wrote: >>> =20 >>> I'll echo this sentiment as well. Most distro packagers will dislike >>> this and need to work around some of this behavior in their respectiv= e >>> distros. >> >> This is something we have been working upstream to address as well. As= it >> stands I believe everything which the tools might download can be >> redirected to instead an existing component (via one of the --with-sys= tem- >> foo configuration options) or disabled (via a --disable-foo configure >> option). So I think now the current state is that there aren't >> "workarounds" but rather "supported ways to disable". >> >> The big outstanding issue is the stubdom build, the distro I care abou= t >> most (Debian) simply doesn't build these (for reasons above and beyond= the >> downloading). >=20 > Yes indeed. I have been tempted to disable stubdoms in Raisin until the= y > are properly integrated in it. Define "properly integrated in". What work needs to be done to support this? Until the tooling really makes it easy to use stubdoms then people won't really use them and improve them. >=20 >=20 >>> Project Raisin is aiming to help with this >> >> Indeed, and it might also allow us to make some of the above options t= he >> default in the future. >> >> Maybe in the meantime perhaps a ./configure --ensure-offline or --disa= ble- >> downloads which: >> * either disables stubdoms automatically or checks you've passed -- >> disable-stubdom as well >> * either disables all the other things which might be cloned or requi= res >> the corresponding --with-system-foo=3D, or has a guess at a default= system >> version >> * sets FETCHER to /bin/false >> >> would be useful? (essentially as a guard against new options being req= uired >> to turn stuff off). >> >>> but it doesn't seem >>> to have a lot of community effort behind it and it too attempts to >>> install dependencies on my machine and wants to be run with sudo. >> >> I believe it has a mode where it simply checks for dependencies and te= lls >> you what is required and thereby avoids the need for sudo, but I'm not= >> sure. >=20 > Yes, that is correct. Raisin won't try to use sudo before asking the > user first. That is the expected behaviour, if it doesn't work that way= > is a bug. >=20 > Moreover I would be happy to introduce signature checks on git clones > and downloads in Raisin. >=20 Does it have the mode Ian mentions where it will just print the depends out to the user instead of installing them for you? --=20 Doug Goldstein --xQjPPQOpMnI4LBuLO87NvHHGB66pDPL0E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0 iQJ8BAEBCgBmBQJWQ2u6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTM5MEQ2RTNFMTkyNzlCNzVDMzIwOTVB MkJDMDNEQzg3RUQxQkQ0AAoJEKK8A9yH7RvU4OwP/3JhoMkYODbo5EnWIcHVSZBT CqyHBDcjc+HXlwm96BRPIIIoFgqv/dV4BLMj3PCYQV+EPaUQODK3hoOyRj3hqJlD D3gwy23qGpTJtbmsB6H51fK1xtC9omNyGjg2SwhBSNzev1Hvwy++YIF26miw1DT2 Ml+q81xzfl1kOC4lAndwfwCRjOCXIetMFIBhZGJWo2U3V6Fs32ZJSWr5tc+mag8F 1HgMajCq5AVX95V9Rsb9N9GNBziKM+kb9NaJ5SbOKyI2jwTef71TCcbZr+u68Yes tOSPGgHybCmaysMCzckVam0unix5Nf1R0og46dED6jEhyjS9Ik9i39tafU3EO2Fd cPE3KYvQbyFJ3jcW6T4ESI/769lqV/bzg2ak+ZiVTUWts3+ZUuUneIbA3H3lwWo1 fZgUT6vkavRKGIq+FbFGUmby7lI0v5RCg4D+IaywIIRgAf6ZzTmse8f8eVmTuhtE B2CJxcUDmUqO1nuMTUXpB4YmukBnq/gBjL9REXHhG4zW5YWvMAWqFMrFS24+vGeu 0FKpA79rmvS7U1ais9PeXcKFKRXNt/JBXkdx248yOoN7Cf8TGNfyhEadFdg3XYSE sM0lVqq5xCaYbf+r35ZVwNsyoE4SLAHoTICF4Od4Rqyk229wdhoH6fpwL3VgcWTD n6YuhS9b9riAEma9Dw19 =W5sB -----END PGP SIGNATURE----- --xQjPPQOpMnI4LBuLO87NvHHGB66pDPL0E-- --===============0364304831259299340== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============0364304831259299340==--