Xen project Mailing List

[Xen-devel] Raisin, was Critique of the Xen Security Process

To: Ian Campbell <ian.campbell@xxxxxxxxxx>

From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

Date: Wed, 11 Nov 2015 12:33:38 +0000

Cc: Doug Goldstein <cardoe@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

Delivery-date: Wed, 11 Nov 2015 12:34:09 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, 11 Nov 2015, Ian Campbell wrote: > On Mon, 2015-11-09 at 15:48 -0600, Doug Goldstein wrote: > >Â > > I'll echo this sentiment as well. Most distro packagers will dislike > > this and need to work around some of this behavior in their respective > > distros. > > This is something we have been working upstream to address as well. As it > stands I believe everything which the tools might download can be > redirected to instead an existing component (via one of the --with-system- > foo configuration options) or disabled (via a --disable-foo configure > option). So I think now the current state is that there aren't > "workarounds" but rather "supported ways to disable". > > The big outstanding issue is the stubdom build, the distro I care about > most (Debian) simply doesn't build these (for reasons above and beyond the > downloading). Yes indeed. I have been tempted to disable stubdoms in Raisin until they are properly integrated in it. > > Project Raisin is aiming to help with this > > Indeed, and it might also allow us to make some of the above options the > default in the future. > > Maybe in the meantime perhaps a ./configure --ensure-offline or --disable- > downloads which: > * either disables stubdoms automatically or checks you've passed -- > disable-stubdom as well > * either disables all the other things which might be cloned or requires > the corresponding --with-system-foo=, or has a guess at a default system > version > * sets FETCHER to /bin/false > > would be useful? (essentially as a guard against new options being required > to turn stuff off). > > > but it doesn't seem > > to have a lot of community effort behind it and it too attempts to > > install dependencies on my machine and wants to be run with sudo. > > I believe it has a mode where it simply checks for dependencies and tells > you what is required and thereby avoids the need for sudo, but I'm not > sure. Yes, that is correct. Raisin won't try to use sudo before asking the user first. That is the expected behaviour, if it doesn't work that way is a bug. Moreover I would be happy to introduce signature checks on git clones and downloads in Raisin.

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.