From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6517147827419742208 X-Received: by 10.28.48.88 with SMTP id w85mr3694137wmw.30.1517413602853; Wed, 31 Jan 2018 07:46:42 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.28.170.1 with SMTP id t1ls1173986wme.7.gmail; Wed, 31 Jan 2018 07:46:42 -0800 (PST) X-Google-Smtp-Source: AH8x224V2bzCMfO5ZNhNTCoo3qhOzntHP1t8P3viRBQbzQlllCbhVoecIE2DyBbbvLlsu8mF7P6z X-Received: by 10.223.196.157 with SMTP id m29mr1642769wrf.26.1517413602406; Wed, 31 Jan 2018 07:46:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517413602; cv=none; d=google.com; s=arc-20160816; b=rwdp9mZn/fZeo13G9pJ1sxYPpyvGD9RXyzjUutmvbFWO+2PIA94dHdoHyzch8Ot6IY G2umbig4RAf5MU4sftQXwYhZ8ZSvaXG8GkfsV3Ei0pLdbNvF6qHvEsG4GuKl7a1uvx8F qESrI4NteWR8kAubUgsSzUN8qeeavEf9GzDtEVAlvhHZ/FFmfeWPGQbWpOeEMKG7RRYL dkuof0GHXJE0SdR9xGqCikVZhlBV2K6VuV7FwMgLtScdL3zr57WBSEGGxFj0gXskh3Nj 2f+KlerfM+c/HTDlRi4XQjCHMg3elHnv5vm0w7N5nXtdD2yvjwBgIizo7GfT5kGm8rOV WdCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:arc-authentication-results; bh=1+KJk4jFrTKc1bxguvA6pLxcrZECEAlvYtqa1z9vP00=; b=nGAlDjZ/qwb/U1++2NNg9QXjJBaAqJ0G2yZBhnY5bsAzGuc42ZGbV/gkNVO2W1Zwgq 1pp0f5FTue5IJ9ZVxLex0Z9ALbNPuf2jrF8VtsfX5L8ngI2RkAy2FtwAes27c2u+3nTa vgu3dcMVjEDUc6oDclodMBFNLIgh2YgQ2OwzDEsSQrFN4kbY/GSXzM8b1xcrR3rMCLaT QE9poVjnnYyyMnx8V2g2Xp8UR8d1Guumk0e4nJyzjKFt//kPqb0SpTtp9AML6JyxbF3Q pU/QiRTZI0vwpF4sBL6Wz7VtmgnCqNLIhH0bGetBSmlOyngwDGmzXsi88okDp8BA5dyH F0OA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id g70si433351wmc.3.2018.01.31.07.46.42 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jan 2018 07:46:42 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id w0VFkfCp024759 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 31 Jan 2018 16:46:42 +0100 Received: from mmd1pvb1c.ad001.siemens.net (md1pvb1c.ad001.siemens.net [139.25.68.40] (may be forged)) by mail1.siemens.de (8.15.2/8.15.2) with ESMTP id w0VFkffG004710; Wed, 31 Jan 2018 16:46:41 +0100 Date: Wed, 31 Jan 2018 16:46:40 +0100 From: Henning Schild To: Baurzhan Ismagulov Cc: Subject: Re: [PATCH 0/9] first wic integration Message-ID: <20180131164640.67f24acb@mmd1pvb1c.ad001.siemens.net> In-Reply-To: <20180131152118.GJ6508@yssyq.radix50.net> References: <20180131111253.49011346@mmd1pvb1c.ad001.siemens.net> <20180131112421.GA6508@yssyq.radix50.net> <675eeef9-1e24-4784-b894-4ce665da26fb@siemens.com> <20180131120245.GC6508@yssyq.radix50.net> <1a55fba5-e089-5bbe-4f14-e1931dea38dd@siemens.com> <20180131134131.GG6508@yssyq.radix50.net> <26963944-16e9-cab4-15be-5dd2deff73f6@siemens.com> <20180131152118.GJ6508@yssyq.radix50.net> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: ly+jS6kx5qq6 Am Wed, 31 Jan 2018 16:21:18 +0100 schrieb Baurzhan Ismagulov : > On Wed, Jan 31, 2018 at 03:01:48PM +0100, Jan Kiszka wrote: > > >> BTW, we also need to address unprivileged or container-compatible > > >> binfmt, or we won't be able to do cross stuff. Probably > > >> solvable, maybe via namespace support for binfmt in the upstream > > >> kernel, but far from reachable in the near future. > > > > > > That is another issue to fix, but it isn't related to hacking > > > wic, is it? > > > > It is related to the question if we need to worry about sudo wic > > right now or can do this when all the other issues that prevent > > unprivileged Isar building are solved. I would say the latter > > applies here. > > Unprivileged != container-compatible. > > Sudo is a hack. Solving it has value. > > That said, my concern isn't prioritizing that. My concern is imposing > sudo on wic users when we already have an effective, manageable > workaround in master. No we do not. The stuff in master is a ton of "sudo" and all-you-can-eat sudo for plugins, totally unsafe like the patch i sent. > There is also an architectural issue with that. All-in sudo would > hide the details why we need it, thus moving unprivileged builds > farther away. I have a patch ready that takes care of "du" and "mkfs" and therefore documents their "sudo"-needs. Henning > At the end, wic should be compatible with Isar and be available > without importing it into Isar. If we want to work with upstream, we > should start with that and not with breaking the existing code. If > existing tools were sufficient, we wouldn't need Isar in the first > place; upstreaming should be a good practical trade-off and not > transform into purification that stands in the way. > > Thus my suggestion to keep selective sudo in wic. It doesn't require > reworking the series, we can just drop the patch 7. > > With kind regards, > Baurzhan. >