From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6517147827419742208 X-Received: by 10.28.22.207 with SMTP id 198mr214382wmw.20.1517412081337; Wed, 31 Jan 2018 07:21:21 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.223.154.77 with SMTP id z71ls1674953wrb.7.gmail; Wed, 31 Jan 2018 07:21:20 -0800 (PST) X-Google-Smtp-Source: AH8x2245guzXiAghK+BOslQ9Py6AHjKHEg6+Txxv/Ta8RMF5zzaBLA8+urMNHr7CQHHBK65AUAGm X-Received: by 10.223.150.47 with SMTP id b44mr1529522wra.0.1517412080910; Wed, 31 Jan 2018 07:21:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517412080; cv=none; d=google.com; s=arc-20160816; b=FY1aYmlCeOiLcpwmVrVoqFy1W8tcO8BsRgZzDIypfDbrkxky8PqK9dLRjiSPu0s+XX aDADHfHuNwGcZk/CNLGHjMvcCuIQWPjN1/mdOgwW9lwwrgfeNLSvqD5WwSV7yGVAcXuA VLlSvHk8kWSNcoxDmkqvM05cXt0WLDyclF+0GU6tpmYu2VkTOQ3yrJG7Cm3blH1vSQpR basqqm51Jl6Ci6uk3HUoZVG9H5zgB21WC+lDm5ZZAQxMOr9dhMLa4daR3U1PS7SbJCPF iS5/vGXrux+XahZp3TVtHGHe0Hlvx7mk/q/U19Tq+/WDEviUo+uxBj0+Y2/13DFyUIzo Ngqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:to:from:date :arc-authentication-results; bh=7Dr9rbRMt9OwLUhNw04Gklyy3aMJEcgTAne7Lk2Awro=; b=gfz0L366u/zYFXA25mFi69IQZjoI+Hy1ATBFNTgAdMszknAbCIiQcImIW6dGycnx9B 5eFKUsT1lASxVG9hKVVSn2MvnzOZPfLooHuXzkl7TVSdqdIynW+OCE5Lc5QzhudG1aZt ovLM3UDrIRN4UukZkIvE1AhML9VHHKOdXhuc2O1DFD0bRyF0RXiMOv/WdTCEwaCtjcT+ 1WbunUgNrSXOKryBT30AgpwW/A/m9ASrfBCzlDKZqbig/K2/eeYW9sv+Op/2NPlUfWhz hUfLBc/m78XyI0HNbp43gd8Ts4yc0bthvYWxmgOa3/kUdNiYD8Q9cbf2nmJyKI3HAH6E 4jTQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net Return-Path: Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211]) by gmr-mx.google.com with ESMTPS id f192si1249028wmg.1.2018.01.31.07.21.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jan 2018 07:21:20 -0800 (PST) Received-SPF: neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) client-ip=85.214.62.211; Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net Received: from yssyq.radix50.net (p2E51B2CC.dip0.t-ipconnect.de [46.81.178.204]) (authenticated bits=0) by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id w0VFLI2T008648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 31 Jan 2018 16:21:20 +0100 Received: from yssyq.radix50.net (localhost [127.0.0.1]) by yssyq.radix50.net (8.14.4/8.14.4/Debian-8) with ESMTP id w0VFLIVV015921 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 31 Jan 2018 16:21:18 +0100 Received: (from ibr@localhost) by yssyq.radix50.net (8.14.4/8.14.4/Submit) id w0VFLINj015920 for isar-users@googlegroups.com; Wed, 31 Jan 2018 16:21:18 +0100 Date: Wed, 31 Jan 2018 16:21:18 +0100 From: Baurzhan Ismagulov To: isar-users@googlegroups.com Subject: Re: [PATCH 0/9] first wic integration Message-ID: <20180131152118.GJ6508@yssyq.radix50.net> Mail-Followup-To: isar-users@googlegroups.com References: <20180131111253.49011346@mmd1pvb1c.ad001.siemens.net> <20180131112421.GA6508@yssyq.radix50.net> <675eeef9-1e24-4784-b894-4ce665da26fb@siemens.com> <20180131120245.GC6508@yssyq.radix50.net> <1a55fba5-e089-5bbe-4f14-e1931dea38dd@siemens.com> <20180131134131.GG6508@yssyq.radix50.net> <26963944-16e9-cab4-15be-5dd2deff73f6@siemens.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <26963944-16e9-cab4-15be-5dd2deff73f6@siemens.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-TUID: zRfGb3EB2J5g On Wed, Jan 31, 2018 at 03:01:48PM +0100, Jan Kiszka wrote: > >> BTW, we also need to address unprivileged or container-compatible > >> binfmt, or we won't be able to do cross stuff. Probably solvable, maybe > >> via namespace support for binfmt in the upstream kernel, but far from > >> reachable in the near future. > > > > That is another issue to fix, but it isn't related to hacking wic, is it? > > It is related to the question if we need to worry about sudo wic right > now or can do this when all the other issues that prevent unprivileged > Isar building are solved. I would say the latter applies here. Unprivileged != container-compatible. Sudo is a hack. Solving it has value. That said, my concern isn't prioritizing that. My concern is imposing sudo on wic users when we already have an effective, manageable workaround in master. There is also an architectural issue with that. All-in sudo would hide the details why we need it, thus moving unprivileged builds farther away. At the end, wic should be compatible with Isar and be available without importing it into Isar. If we want to work with upstream, we should start with that and not with breaking the existing code. If existing tools were sufficient, we wouldn't need Isar in the first place; upstreaming should be a good practical trade-off and not transform into purification that stands in the way. Thus my suggestion to keep selective sudo in wic. It doesn't require reworking the series, we can just drop the patch 7. With kind regards, Baurzhan.