karlthered at gmail.com
Sat Sep 7 11:44:47 UTC 2013
Le 06/09/2013 21:38, Richard W.M. Jones a écrit :
> On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote:
>> No, it's less secure than kvm but it still provides better isolation
>> than a mere chroot.
> It doesn't matter if it's more secure than a chroot, because that's
> not what we're talking about. This is about whether you want
> random-person-off-the-internet to upload any software they like and
> run it on your server, and you *do not* want to do that with either a
> chroot or a Linux container [even if OpenShift got away with it].
> And ...
We're talking about a *fedora* infrastructure, not a public
infrastructure such as SuSE OBS instance.
As i said, if we were to open it to a larger set of people, i'd go with
>> Secure containers as dwalsh described is a worthy improvement.
> ... SELinux labels will not make that situation any better, because an
> exploit somewhere in the large kernel API bypasses SELinux.
> Dan Walsh's two replies are much more nuanced than you understand.
That last phrase proves that you're being condescending with me, and
that you didn't get my point at all.
More information about the devel