From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54882)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1Ya5wX-00074J-GC
	for qemu-devel@nongnu.org; Mon, 23 Mar 2015 13:15:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1Ya5wW-0000YE-L9
	for qemu-devel@nongnu.org; Mon, 23 Mar 2015 13:15:13 -0400
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
Message-ID: <55104A15.9030401@redhat.com>
Date: Mon, 23 Mar 2015 18:15:01 +0100
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <1427105099-12889-1-git-send-email-armbru@redhat.com>
	<1427105099-12889-2-git-send-email-armbru@redhat.com>
In-Reply-To: <1427105099-12889-2-git-send-email-armbru@redhat.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH for-2.3 1/1] block: New command line option
	--misc format-probing=off
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, stefanha@redhat.com, mreitz@redhat.com



On 23/03/2015 11:04, Markus Armbruster wrote:
> Probing is convenient, but probing untrusted raw images is insecure
> (CVE-2008-2004).  To avoid it, users should always specify raw format
> explicitly.  This isn't trivial, and even sophisticated users have
> gotten it wrong (libvirt CVE-2010-2237, CVE-2010-2238, CVE-2010-2239,
> plus more recent variations of the theme that didn't get CVEs because
> they were caught before they could hurt users).
> 
> Disabling probing entirely is a (hamfisted) way to ensure you always
> specify the format.
> 
> Instead of creating yet another simple option that doesn't work with
> -readconfig, create a "misc" option group and --misc command line
> option.  We're out of space in vm_config_groups[], so double it.
> 
> This will let us make existing miscellaneous non-QemeOpts options
> sugar for --misc, so they become available with -readconfig.  Left for
> another day.

Which exactly?  Could they fit into another scheme?  (See how
-mem-prealloc was replaced and generalized by memory-backend-* objects).

For example, -win2k-install-hack should really be an IDE disk property
that can be set with -global, and many other options could be machine or
display options.

I don't think it's the right solution.  Libvirt knows where to add a
format=raw option, and it can do it without waiting for QEMU to
implement this.  Direct command-line users are not going to use the
option anyway.

So for today we're 1-1 on NACKs. :D

Paolo