On 5/4/23 4:33 AM, Andrea Bolognani wrote:
On Wed, May 03, 2023 at 04:26:21PM +0100, Daniel P. Berrangé wrote:
On Sun, Apr 30, 2023 at 11:19:30PM -0400, Laine Stump wrote:
and include it in BuildRequires and Requires of the rpm specfile to
make sure it's available when doing official distro builds.
This new dep will need libvirt.yml in libvirt-ci.git to be updated
and the dockerfiles then re-generated.
I don't think we need the BuildRequires, or the build time detection,
at all. Just
#define NFT "nft"
in the relevant file and be done with it. We'll locate the binary at
runtime, same as we're doing with most of them already.
Are we? What's the huge list of "optional programs" in meson.build then?
I don't have any problem with doing all binary-location at runtime, as
long as we don't think there's any potential security problem / bug that
could arise from having a different binary with the same name added in
some place earlier in $PATH (is that why we started canonicalizing
binary paths during the build?) Thanks to the way
g_find_program_in_path() was written, code later in this series that
checks to see which binaries are available will work properly, whether
or not the binary name was canonicalized during build, so making such a
change won't have any effect on that.
The Requires is still needed, of course.
Maybe we also want to turn the iptables dependency into a Recommends?
That way you will be able to uninstall it for a pure nft-based setup.
I was being ultra-conservative about the change, making it opt-in for
the distros for now at least. But I'm also fine with making it opt-out
... at some point. A lot of stuff seems to still depend on iptables
today, at least in Fedora.
Yeah, *somebody* has to start pulling the plug on it (actually firewalld
has had nftables support for a long time, and I think it's probably the
default although I haven't checked). It is really amazing how many
people still automatically talk about iptables when they talk about
filtering network traffic :-/
