On Tue, Feb 14, 2017 at 05:47:27PM +0100, Andrea Bolognani wrote: > On Tue, 2017-02-14 at 16:20 +0000, Daniel P. Berrange wrote: > > > On the other hand, we really only care about having the ACL > > > APIs when we are isolating QEMU, which only happens of Linux > > > due to the namespaces requirement... So maybe we could have > > > it as a strict requirement on Linux only, and as an optional > > > dependency on other platforms? > > > > IMHO it'd be better to just disable the namespace code at build > > time if we don't have libacl rather than adding mandatory build > > deps. > > I'm afraid that might lead to people forgetting to install > libacl-devel[1] on Linux and ending up with less security > than expected / desired as a result. You can make the same argument about many other libraries we have optional dependancies against, libcapng, libselinux, apparmour, etc. Our general policy is for libraries to be optional and I don't see a reason for this to be a different case > [1] I know I did while trying to figure this bug out ;) If we disabled namespace support when libacl is missing at build time you would have noticed quite quickly that you weren't using namespaces. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list