fakesystemd package breaking builds

Stephen John Smoogen smooge at gmail.com
Thu Aug 28 18:47:20 UTC 2014 

On 28 August 2014 12:10, Lennart Poettering <mzerqung at 0pointer.de> wrote:

> On Thu, 28.08.14 07:24, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
> > >>> But regarding kmod/devicemapper, can we please get some stats about
> how
> > >>> big this individually are, and how much is saved by this? kmod at
> least
> > >>> is 150K or so only. Is there really any value in doing this weird
> stuff
> > >>> for a fricking 150K?! Fedora has no bigger fishes to fry?
> > >> I'll prepare stats for you tomorrow.
> > >>> The systemd-container or fakesystemd stuff sounds awfully adhoc. Can
> we
> > >>> please always discuss this first, and see if we can find a different
> > >>> solution? We don't need three different "solutions", if one works
> > >>> too...
> > >> We've talked about this on Flock - it's not only about disk space
> > >> but also about security reasons (CC'ing Dan Walsh). My goal was not
> > > Dan, can you elaborate what the rationale for this is?
> >
> > It is not about Security escalation is is about the need to update a
> > container image if a CVE happens on any of the packages installed.
> > Basically we want to keep the turn on images as small as possible.  If
> > systemd, kmod, udev ... have a CVE and they are not used within an
> > image, then we would still need to update the image because it
> > containers "Vulnerable" code, or potentially vulnerable code.
>
> Is kmod/systemd really that bad with CVEs? I mean, if there was a large
> number of them, maybe that's something to think about, but I see 2 in
> 2012, and 5 in 2013, and 0 in 2014... and those are not really the
> biggest issues in the world either, and certainly not in any way
> relevant if you just leave the files lying around....
>
>
Past performance does not indicate future pains. It doesn't matter if an
application even have had 0 in the past.. the idea of having to respin
every image because of a piece of software which isn't needed but is
included in everything will cause the bristles go up for any large
organization that must pass audits. (or a company that hosts for companies
that must pass audits). It doesn't matter that it can't be used to break
out of the image etc.. it is more about potential work and what can cause
that potential work.

[This is non-rational but is how things work and after twenty years of
telling people that putting antivirus on a linux desktop doesn't solve a
problem... it isn't the sort of problem which goes away with a rational
argument.]

-- 
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140828/df1ecc48/attachment.html>

More information about the devel mailing list