From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57256) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZhzWm-0004O3-Kz for qemu-devel@nongnu.org; Fri, 02 Oct 2015 08:33:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZhzWi-00029E-UL for qemu-devel@nongnu.org; Fri, 02 Oct 2015 08:33:32 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45937) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZhzWi-000291-Pi for qemu-devel@nongnu.org; Fri, 02 Oct 2015 08:33:28 -0400 Date: Fri, 2 Oct 2015 13:33:24 +0100 From: "Daniel P. Berrange" Message-ID: <20151002123324.GB10222@redhat.com> References: <371B9FFB-14FD-4707-9094-29EC9F6B508F@gmail.com> <87vbavm27u.fsf@blackfin.pond.sub.org> <20150929131109.GI3810@work-vm> <20150929133124.GK3810@work-vm> <8737xw9wl2.fsf@blackfin.pond.sub.org> <20150930081441.GB2627@work-vm> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Subject: Re: [Qemu-devel] feature idea: allow user to run custom scripts Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell Cc: qemu-devel qemu-devel , Markus Armbruster , Michael Roth , "Dr. David Alan Gilbert" , Programmingkid , Peter Crosthwaite On Wed, Sep 30, 2015 at 11:53:50AM +0100, Peter Maydell wrote: > On 30 September 2015 at 09:14, Dr. David Alan Gilbert > wrote: > > * Markus Armbruster (armbru@redhat.com) wrote: > >> In my opinion, QEMU should leave them to separate GUI shells, because > >> doing everything in QEMU distracts from our core mission and we don't > >> have GUI expertise[*]. One more point: building in the GUI is > >> problematic when you don't trust the guest, because then you really want > >> to run QEMU with least privileges. > > > > Given that we have a built in GUI then I can see people wanting to expand > > it. > > Right, but where do you draw the line? We clearly don't have the > active maintainer and review capacity to do anything serious with > "ui/" (MAINTAINERS lists everything except SPICE as Odd Fixes). > > This is why I tend to agree with Markus' opinion here: we should > provide enough graphical UI to make raw QEMU minimally usable, > and leave further user-friendliness to other projects which have > more direct interest in that. > > If we had more regular contributors who were actively interested > in improving our UI layer my opinion might be different. Even if we had more contributors interested in that, I still think that we should not do it, because building a UI into QEMU is a fundamentally bad design / architecture. QEMU is a security sensitive component and we want to know the boundaries of what a guest exploit can achieve - including a GUI massively expands the attack surface making it more or less impossible to confine any QEMU exploit, even with tools like SELinux/AppArmour, because you have to allow use of the desktop protocol at which point you can just talk to a separate app to perform the exploit. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|