Hi Leonid, On Mon, Sep 15, 2014 at 7:41 PM, Leonid Isaev <lisaev@xxxxxxxxxxxx> wrote: > On Mon, Sep 15, 2014 at 07:32:51AM +0200, Tobias Hunger wrote: >> As I understand this, systemd expects daemons to deal with no settings in >> /etc and /var. > > /var stores files, not settings. Most daemons will run OK with empty /var. But > what do you do with the files? Some kind of rsync gluework? I do not clean up /var in my setup and just keep it. >> I do not consider this a problem. When you use somebodies images you need >> to trust that person. I do not consider trusting the keys that person >> provides to be a problem. > > But it is a problem which has already been discussed. If you have N images, and > 1 has its key stolen, all N are in danger. So, it's not about (not) trusting > the developer. Well, I do not put the secret keyring into the images, so everything should be fine. Pacman can still validate images, so everything is well. Local installs are not possible anyway. >> Any privileged process can mess with /etc at any time. With factory reset >> at least you get a pristine copy to compare the files in /etc against. > > Sure, and then we call it malicious... What do you call pristine? The files > shipped on a livecd? Or an empty default configs shipped with daemons? So far, > there are only things like groups/users, but those are trivialities. In the general case 'pristine' is probably the settings shipped by the various arch linux packages. In my case it obviously is the config for the usr-snapshot (== config from the archlinux packages + all my local changes). > We already have enabled by default ldconfig.service enabled, > systemd-update-done.service, etc, which messed a number of my containers. I guess that is the price we all have to pay occasionally for running fresh software. Best Regards, Tobias