On Fri, Nov 23, 2012 at 11:43:01AM +0100, Simon Lukasik wrote: > On 11/22/2012 09:07 PM, Richard W.M. Jones wrote: > > On Tue, Nov 20, 2012 at 12:52:30PM -0500, Przemek Klosowski wrote: > >> Interpreters do not preclude simple data: they just scale better, > >> from simple linear declarative data to complex, Turing-cranking > >> swamp. The only argument against it is runtime overhead, which isn't > >> a problem in many, if not most, cases. > > > > It's NOT the only argument against it. Having Turing-complete > > configuration files makes it impossible to have other programs parse > > and understand the configuration. Programs including: > > > > - OpenSCAP, or any other security scanner > > - libvirt (hello, old Xen's python config files) > > - multiple libguestfs tools like virt-sysprep > > - Augeas and all the tools that use it > > > > Moreover, If the application (polkit) uses its embedded interpreter to > assess configuration and the scanner (OpenSCAP) uses it's own way how to > assess it (even if it differs in a version of the interpreter). --> It > only opens door for very subtle bugs. > > Which leads me to thinking that the applications (which use Turing > complete languages for configuration) shall provide a comprehensive API > to query the configuration. This isn't going to work for SCAP. SCAP (or more specifically, OVAL) is a standardized XML schema for assessing the configuration of systems. Steve will correct me if I'm wrong here, but I don't believe there's no room for it to be calling out to arbitrary custom libraries. http://oval.mitre.org/language/index.html http://oval.mitre.org/language/about/definition.html Like it or not, this sort of scanning is extremely useful for cloud administrators who want to be able to automatically scan disk images uploaded from non-trusted sources and find out whether they contain vulnerabilities. The requirements for configuration files to be simple and non-Turing-complete are not going to go away. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
