Re: Playing around with ostree for apps
- From: Colin Walters <walters verbum org>
- To: Alexander Larsson <alexl redhat com>
- Cc: gnome-os-list gnome org
- Subject: Re: Playing around with ostree for apps
- Date: Tue, 14 Oct 2014 18:14:30 -0400
On Tue, Oct 14, 2014, at 03:15 PM, Alexander Larsson wrote:
Things get really interesting of course if we're really thinking about
production because
because?
I forget what I was writing there...
I agree, we don't want to have setuid binaries lying around, even in the
repo. Can we have files in the repo not store the setuid bit? That would
mean we have to copy the file (not hardlink) when checking out, but how
many files are setuid? Then we could have a no-setuid checkout mode
similar to -U that does not apply this flag at all.
https://bugzilla.gnome.org/show_bug.cgi?id=722984
But this seems like a case for "ostree pull --untrusted" or so?
Even this though I'm not sure about because it seems likely to me that
we want SELinux labeling to happen at install time, by the host policy,
or conversely that apps shouldn't get to determine labels. Possibly we
could enforce that the apps come without security.selinux, but then to
ensure sharing we'd have to compute the checksum on the client of
content + label.
Going to have the same SELinux issues with apps-as-btrfs too of course.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]