On Wed, Sep 28, 2011 at 1:19 PM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > On Wed, Sep 28, 2011 at 11:14:57AM +0100, Stefan Hajnoczi wrote: >> Does febootstrap-supermin-helper need to be dynamic or could >> libguestfs create a /var/lib/guestfs/appliance-initramfs.gz on >> install? Then libguestfs on the client can create the appliance >> domain and point at that static initramfs file path. > > This is how the Debian package of libguestfs works (Hilko's official > package, not my one). > > However this is troublesome because it means any security problem in a > dependent program is baked into the appliance. Applying a security > update to the host wouldn't update this libguestfs appliance. Compare > this to the way febootstrap-supermin-helper normally works (eg > upstream, Fedora and RHEL): the appliance is rebuilt whenever any > change is noticed in a dependent program. That sounds like a limitation in the packaging system. If 'watch' hooks can be registered by the libguestfs package on its dependencies, then it can rebuild itself every thing a dependency changes. Or the low-tech way is for the libguestfs package maintainer to create a new package each time its dependencies have updated - Debian has a volatile repo for packages that change a lot. At the end of the day we have this problem because the libguestfs appliance is a distro built from the underlying distro itself :)! Stefan -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list