Re: fakesystemd package breaking builds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






On 28 August 2014 12:10, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote:
On Thu, 28.08.14 07:24, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote:

> >>> But regarding kmod/devicemapper, can we please get some stats about how
> >>> big this individually are, and how much is saved by this? kmod at least
> >>> is 150K or so only. Is there really any value in doing this weird stuff
> >>> for a fricking 150K?! Fedora has no bigger fishes to fry?
> >> I'll prepare stats for you tomorrow.
> >>> The systemd-container or fakesystemd stuff sounds awfully adhoc. Can we
> >>> please always discuss this first, and see if we can find a different
> >>> solution? We don't need three different "solutions", if one works
> >>> too...
> >> We've talked about this on Flock - it's not only about disk space
> >> but also about security reasons (CC'ing Dan Walsh). My goal was not
> > Dan, can you elaborate what the rationale for this is?
>
> It is not about Security escalation is is about the need to update a
> container image if a CVE happens on any of the packages installed.
> Basically we want to keep the turn on images as small as possible.  If
> systemd, kmod, udev ... have a CVE and they are not used within an
> image, then we would still need to update the image because it
> containers "Vulnerable" code, or potentially vulnerable code.

Is kmod/systemd really that bad with CVEs? I mean, if there was a large
number of them, maybe that's something to think about, but I see 2 in
2012, and 5 in 2013, and 0 in 2014... and those are not really the
biggest issues in the world either, and certainly not in any way
relevant if you just leave the files lying around....


Past performance does not indicate future pains. It doesn't matter if an application even have had 0 in the past.. the idea of having to respin every image because of a piece of software which isn't needed but is included in everything will cause the bristles go up for any large organization that must pass audits. (or a company that hosts for companies that must pass audits). It doesn't matter that it can't be used to break out of the image etc.. it is more about potential work and what can cause that potential work. 

[This is non-rational but is how things work and after twenty years of telling people that putting antivirus on a linux desktop doesn't solve a problem... it isn't the sort of problem which goes away with a rational argument.]

--
Stephen J Smoogen.

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux