Le 06/09/2013 21:38, Richard W.M. Jones a écrit : > On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote: >> No, it's less secure than kvm but it still provides better isolation >> than a mere chroot. > It doesn't matter if it's more secure than a chroot, because that's > not what we're talking about. This is about whether you want > random-person-off-the-internet to upload any software they like and > run it on your server, and you *do not* want to do that with either a > chroot or a Linux container [even if OpenShift got away with it]. > > And ... We're talking about a *fedora* infrastructure, not a public infrastructure such as SuSE OBS instance. As i said, if we were to open it to a larger set of people, i'd go with KVM too. >> Secure containers as dwalsh described is a worthy improvement. > ... SELinux labels will not make that situation any better, because an > exploit somewhere in the large kernel API bypasses SELinux. > > Dan Walsh's two replies are much more nuanced than you understand. > > Rich. > > That last phrase proves that you're being condescending with me, and that you didn't get my point at all. best regards, H. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
