On Fri, May 05, 2023 at 02:04:01AM -0700, Andrea Bolognani wrote: > On Thu, May 04, 2023 at 02:21:57PM -0400, Laine Stump wrote: > > On 5/4/23 4:33 AM, Andrea Bolognani wrote: > > > I don't think we need the BuildRequires, or the build time detection, > > > at all. Just > > > > > > #define NFT "nft" > > > > > > in the relevant file and be done with it. We'll locate the binary at > > > runtime, same as we're doing with most of them already. > > > > Are we? What's the huge list of "optional programs" in meson.build then? > > Leftovers, that I intend to clean up At Some Point™ :) > > > I don't have any problem with doing all binary-location at runtime, as long > > as we don't think there's any potential security problem / bug that could > > arise from having a different binary with the same name added in some place > > earlier in $PATH > > If some malicious actor can alter root's $PATH, or inject binaries > into it, it's pretty much game over already. > > > (is that why we started canonicalizing binary paths during > > the build?) > > I think it was done more for feature detection purposes, e.g. only > enable the network driver if ifconfig is present or something. > > But that gets in the way of packagers, who usually want to explicitly > enable/disable features anyway and to build in a minimal environment. > It also assumes same-host deployment, and locks the configuration too > early (what if I install ifconfig after building libvirt?). > > Runtime detection has some drawbacks too, but overall is more > flexible and we've been moving in that direction. > > > > Maybe we also want to turn the iptables dependency into a Recommends? > > > That way you will be able to uninstall it for a pure nft-based setup. > > > > I was being ultra-conservative about the change, making it opt-in for the > > distros for now at least. But I'm also fine with making it opt-out > > I believe Dan argued for the nft backend to be made the default where > possible. I generally agree that we should adopt forward-looking > defaults whenever that can be done without breaking existing users. > > Anyway, regardless of which one of the backends ends up being the > default one, maybe *both* nft and iptables should be Recommends? That > way you'll get both installed by default, but you'll be able to drop > the one that you're not using if you're aiming for a minimal > deployment. Fedora has used nft kmod since at least Fedora 32 IIRC. While you could potentially unload it and load the iptbles kmods I expect the users doing that are minimal if any. Even if someone is doing that, I see no reason why we can't exclusively have Requires: nft, and ignore iptables as far as deps are concerned. The only "downside" is that someone who has done the edge case of revertnig to iptables will have a redundant 'nft' userspace package installed. I think that's totally acceptable for such a niche edge case. Same for RHEL >= 9. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
