On Thu, May 05, 2016 at 12:39:24PM -0400, Cole Robinson wrote: > On 05/05/2016 12:20 PM, Pavel Hrdina wrote: > > This config option is broken, it will generate unix socket even if > > attribute 'listen' or listen element is specified. > > > > Also following commit will makes this option obsolete. > > > > Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> > > IMO this is not acceptable. For one, there's no precedent for removing a > qemu.conf option; IMO it's part of our API. > > But the reason this option exists is so site admins can make listen > type=socket/socket= the graphical default, as opposed to a wide open > listen=127.0.0.1 that any user on the host can trivially access. VNC passwords > are known insecure, so locking down the listening mechanism is really the only > (current) way to secure VNC. ...TLS with x509 certs and/or SASL is an alternative current secure VNC mechanism. I agree though its desirable to have a global way to make VNC listen UNIX sockets instead of localhost Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list