On Thu, Sep 20, 2018 at 2:48 PM, Gerd Hoffmann <kraxel@xxxxxxxxxx> wrote:
Hi,
> If we consider the nbd PoC and the solution Daynix sent (spice-gtk and
> emulation) I personally prefer the Daynix solution and as Yuri said already
> the glue code required for the nbd is bigger than the emulation code.
Oh. Fair enough. I certainly didn't expect that the nbd glue is more
code than doing full usb+scsi emulation.
> I also think is better from the client prospective, updating the host
> to fix possible problems is much harder than just update the client.
The qemu usb/scsi/cdrom emulation has seen years of testing.
So I wouldn't worry too much about bugs there.
> Being also the client less a security issue the client solution reduces
> the surface attack.
That is wrong IMO. You just have a different attack surface, for the
most part it moves from the virtualization host (the machine running
qemu) to the user's box (the machine running spice-client).
In aspect of security/attack surface the cd-sharing in the client is not
different from flash drive redirection (if I'm not mistaken) and should not
increase the risk.
Whenever that is better or not depends much on the deployment. With
thin clients you might be better off that way. When the spice-client
runs on a full-blown workstation it might be a rather interesting target
to attack though.
cheers,
Gerd
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel