Re: raising warning flag on firewalld-default feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/25/2012 05:12 PM, Richard W.M. Jones wrote:
> On Fri, Nov 23, 2012 at 11:43:01AM +0100, Simon Lukasik wrote:
>> On 11/22/2012 09:07 PM, Richard W.M. Jones wrote:
>>> On Tue, Nov 20, 2012 at 12:52:30PM -0500, Przemek Klosowski wrote:
>>>> Interpreters do not preclude simple data: they just scale better,
>>>> from simple linear declarative data to complex, Turing-cranking
>>>> swamp. The only argument against it is runtime overhead, which isn't
>>>> a problem in many, if not most, cases.
>>>
>>> It's NOT the only argument against it.  Having Turing-complete
>>> configuration files makes it impossible to have other programs parse
>>> and understand the configuration.  Programs including:
>>>
>>>  - OpenSCAP, or any other security scanner
>>>  - libvirt (hello, old Xen's python config files)
>>>  - multiple libguestfs tools like virt-sysprep
>>>  - Augeas and all the tools that use it
>>>
>>
>> Moreover, If the application (polkit) uses its embedded interpreter to
>> assess configuration and the scanner (OpenSCAP) uses it's own way how to
>> assess it (even if it differs in a version of the interpreter). --> It
>> only opens door for very subtle bugs.
>>
>> Which leads me to thinking that the applications (which use Turing
>> complete languages for configuration) shall provide a comprehensive API
>> to query the configuration.
> 
> This isn't going to work for SCAP.  SCAP (or more specifically, OVAL)
> is a standardized XML schema for assessing the configuration of
> systems.  Steve will correct me if I'm wrong here, but I don't believe
> there's no room for it to be calling out to arbitrary custom
> libraries.

Sure, there is no room for *arbitrary* and custom libraries. On the
other hand, there are libraries which are already in use. Consider
librpm which is even namely regarded by OVAL specification. Thus, If
there was comprehensive interface to query polkit configuration, I could
imagine SCAP using it in similar way how it uses librpm.

But my point was more like: If there was an comprehensive interface to
read and write that configuration, there couldn't be a complain about
compliance checks.

> http://oval.mitre.org/language/index.html
> http://oval.mitre.org/language/about/definition.html
> 
> Like it or not, this sort of scanning is extremely useful for cloud
> administrators who want to be able to automatically scan disk images
> uploaded from non-trusted sources and find out whether they contain
> vulnerabilities.  The requirements for configuration files to be
> simple and non-Turing-complete are not going to go away.
> 
> Rich.
> 

--
Simon Lukasik
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux