Haïkel Guémar karlthered at
Sat Sep 7 11:44:47 UTC 2013

Le 06/09/2013 21:38, Richard W.M. Jones a écrit :
> On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote:
>> No, it's less secure than kvm but it still provides better isolation
>> than a mere chroot.
> It doesn't matter if it's more secure than a chroot, because that's
> not what we're talking about.  This is about whether you want
> random-person-off-the-internet to upload any software they like and
> run it on your server, and you *do not* want to do that with either a
> chroot or a Linux container [even if OpenShift got away with it].
> And ...

We're talking about a *fedora* infrastructure, not a public
infrastructure such as SuSE OBS instance.
As i said, if we were to open it to a larger set of people, i'd go with
KVM too.

>> Secure containers as dwalsh described is a worthy improvement.
> ... SELinux labels will not make that situation any better, because an
> exploit somewhere in the large kernel API bypasses SELinux.
> Dan Walsh's two replies are much more nuanced than you understand.
> Rich.

That last phrase proves that you're being condescending with me, and
that you didn't get my point at all.

best regards,

More information about the devel mailing list