Re: Using the host /etc in the runtime

[Alexander Larsson <alexl redhat com>]

On tis, 2015-01-27 at 14:19 -0500, Colin Walters wrote:
> On Mon, Jan 19, 2015, at 04:37 AM, Alexander Larsson wrote:

> > Secondly, the other goal is to ensure one app+runtime works on *any*
> > system. 
>
> "works" will depend on one's PoV; for some organizations, this TLS
> certificate issue will be quite important.

Sure, but that doesn't mean the only way to make that work is to expose
the full host /etc.

> And even if there was just one distribution layout (e.g. /etc/pki was
> standard), one still has to account for version skew over time.  Say that
> an app wants to look for some new system configuration - for example,
> http://fedoraproject.org/wiki/Changes/CryptoPolicy
>
> It'd be possible for the app runtime's openssl/gnutls to have this change,
> but the target system not.  That's a case where the shared libraries
> inside runtimes would need to be prepared to handle arbitrarily old
> content in /etc, or alternatively, some sort of versioned ABI, so xdg-app
> would error out if the app's runtime required too new of a host.

Yeah, this whole area is pretty fucked up. My opinion is that we need to
figure out the best way to represent it in the sandbox, and then do
whatever mapping is needed from the host system so that it looks right
from the point of view of the sandboxed app. This could be done by
building xdg-app on the distro with the right configuration given the
distro it runs on. But yeah, for future compat we probably need some
level of versioning here.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a sword-wielding umbrella-wielding senator with no name. She's a 
cosmopolitan mutant magician's assistant who can talk to animals. They 
fight crime!