From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 20 Feb 2026 18:24:31 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-pj1-f62.google.com (mail-pj1-f62.google.com [209.85.216.62]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61KHOTh1007415 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 20 Feb 2026 18:24:30 +0100 Received: by mail-pj1-f62.google.com with SMTP id 98e67ed59e1d1-3545b891dd1sf13433475a91.1 for ; Fri, 20 Feb 2026 09:24:30 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1771608264; cv=pass; d=google.com; s=arc-20240605; b=UkW6hqVTEBxj6UOQXqGl2Fb780DYEa6PEqcxNEbwEeb3zCH/3FLy623zaklYZQsst+ qlvICSzJG8MhQg24xP4ISZO+HpT2toDa+oAGqrJrXCAGSLCTF2PMNKtTiMK4zuqbYxha 8eEbz7WxH+YRnl5pWGO+wDhXvB7AgwriXci2YdK2EPNXPbPoce8503GIeFUMV4vE9N+e MTA8NbedUZezJH6pXIlJa8FZ5uJZWH8KWpvNer6ZmbwVfM+zMu7sCEa4ggBICIEk6nEo +08okH72cnQSMAB+X8WxCsLWXVmHd2rH7nycKweUPvXYwqZqR6q+yNfN+9GWq8H5GG2z Hf4Q== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:in-reply-to :autocrypt:content-language:from:references:cc:to:subject:user-agent :date:message-id:dkim-signature; bh=Y+q62k3r7tVQ2l/HjsEPlpIv0gDn8GeAjzPFxee0SZY=; fh=icW9EaI3ut3O0b7iNYANABIkFERDHN8qZFTsNy/W+5s=; b=h0RMT31cvLZkk1T40UspohAhwRn11VXnK1nXmTc9O1gqrCy560xWsbxA8mYbNPq55i ujLAfzMKGtWkfqmiSw4B9rEOGvohlnaEegzrACJUSBE+wJthtHCzZ4r3jxyAQcV2bk7v 7tMneE+zbIb0d42H45plRJZqF9aZInHGVCxoEuOKj+z9Y5GsYkg4qCr8/CZGVDhYQYYO 7biYdVu4rpOUtqVaBQATdfmuy6b7c8Pd4Rz1nvlbMWuYJgJm7uUAESkv2zdt0OcZE4vQ p9nukNjAO1Mm8LAUNL8nH8OyqpCxJTAWeDSpUeWH6EvOublS33j/Mj3nJdx3MeuvBIgi tr1Q==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="u0HF/dcb"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1771608264; x=1772213064; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=Y+q62k3r7tVQ2l/HjsEPlpIv0gDn8GeAjzPFxee0SZY=; b=VHpYjwM4nZW9fiEzL9U8H87Z70e1E5yzTUibdaNnmdOC3eePwaybhSleWDknSIkDqG TZpUe12Yqajpb2dGBJ/5JpkOOKRdkdB6+poS6U0faYOMpMbZuFjKBYAY02Xb4x+OMWcV r9J9cszpEK4Ut3wRP+v9hlPZWOk5eN7X57uPjag8N8putz2EMA5jMQ5yvjNjBalL6UW5 Vq0d/TsLIHNKSopKApMRwMLZv5rj6GEaS6XBH+bFtvlhM4V9jcOcbd6cLFd+eAb0MLtG uHNRN78xvOrNdJ97MPF4dodSZGPR4C5O/g18MXDo/8nAG+Gm+CVgLmqwIVS2sX1l8vAs I0mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771608264; x=1772213064; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Y+q62k3r7tVQ2l/HjsEPlpIv0gDn8GeAjzPFxee0SZY=; b=lFMkq384eMGbwBu9JoljJ/ZJRtzSylh0yhdGD4UOVg0nO7OXwyJxyvEvooR6dhlfli KUXu++VGt9DnuoLg0KyM4FtApk86m/GEw/lI/F/Fldzt+blZwwnKhsPZhpGqzA5IuqUW BQO6YYFJCMsCnhasvkEUQp6vXFAdtIaah7PjVSrOKW0LY6SkmpV/g28HMf/ZunLvu1FR R/CbWRjtXs0/itbHXGoCc0tUX7E9AlMSVdnBxbW9/dlJQUeJh/JJyV/73MRI24ZxdC2J E6vviWkf9RA7GCq2kgsNeZENnecUkcx/yXLNxzPACnaCJvnrNDjQzx+CPmcTdKvv6c0+ H/2w== X-Forwarded-Encrypted: i=3; AJvYcCUjcTI04a9JCpMpHOc8upjKuv0k7giBnBGK4L5Tafh+mwzGoycXBiPvzJZ2zH3p/Y2Q4lE4@ilbers.de X-Gm-Message-State: AOJu0YwH6Ly1DNToLs666dlgPeUsq6/FEW/hRrgPXGYhdxQo5T9wFjG0 voGHchUzpyMTdsWa2xnXzBKCz1zwH3cho8+65rrH+/LJTuRKQQ9ogOz2 X-Received: by 2002:a17:90b:4b8d:b0:352:ba0f:fb28 with SMTP id 98e67ed59e1d1-358ae7c84famr371821a91.1.1771608263594; Fri, 20 Feb 2026 09:24:23 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+F6GisIH4cDtzLxzsATLKjxXigVtP0wFku+jQG9hwe6cw==" Received: by 2002:a17:90a:d192:b0:356:27ac:43e0 with SMTP id 98e67ed59e1d1-35693b55a99ls8209394a91.2.-pod-prod-03-us; Fri, 20 Feb 2026 09:24:22 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVZcoCLt2fZ9+GR7CvehXUksK7OfjaEsfUwww8QHR8NHYYUGG0hVos452hxe6xp11NlxI8GIflpUfzQ@googlegroups.com X-Received: by 2002:a05:6a20:94c9:b0:35d:cc9a:8bbb with SMTP id adf61e73a8af0-39545f8f1dcmr342947637.47.1771608261837; Fri, 20 Feb 2026 09:24:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1771608261; cv=pass; d=google.com; s=arc-20240605; b=JnCLt38DtkXlc+tRmYHMZofCTEqBjYvEgtuy7Riqde/nsYsypKXOxWNeyROqdKam5i McHvlT+qTG+30fTjNjU42lREVMsCsX7Kxu/Er4yfY5xnyjByckTQkSlz2DVjiPqe96Lr ZNv3VsmPoswCuphQ2+J0hcT+4HrfDWnXlZdNlYrITwEXD6a58PPQ2EUvtMPHE7Bvhd7h xEdpR8JpMjkfZHQM88NegNJDZ5vO709Z8FQtDeGmyKakbZT7SUPRC9uv24f5TEgVfzrp Dgcrko6vn0JVcuInA+dOF6BaN9OA2pZuPBMScWNlD+dhLQIqskwSO/ZoXrmiA+RZhbSj rXYg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:in-reply-to:autocrypt :content-language:from:references:cc:to:subject:user-agent:date :message-id:dkim-signature; bh=PtDDQJfTBQNN7vIum/vldMX4hYadYmy2pzU5qQPmnY4=; fh=OPAseo6bwwFPu0Z/TgqZ37S26U8kSSi3ubVyFPIawCA=; b=Qs8qhFajy9uPSv7Ozz72/7IOy9PtxGqXWRcvY++whq9ijgh3bIolNcnnipKVqCPCG7 XA6UMS1PdVSOnc+OnaUxeJKZAeYvTkq8964fQNh5e02i9sZDioUVse4o2aPF/t9iOlCE BolQoStu1wmAYpcLr1/DPkNX2fyaXg9yo6vN0wQbtDlPvGuOVlTbA5DFl5eYTZM3BjiY N60z+koPnCp7+5q2BpYK1UEFKRSvUVOKQK+/SVAyGw+X1dN+NhA7htl8mKM0tL1mjZAE fNqWyjB3CggvU/N/BDYy8fNVvR96Hj+d9U8vOMLmbp0I1sjoYvYFNRLNY0Qf8u3ZN5kO eesg==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="u0HF/dcb"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazlp170100001.outbound.protection.outlook.com. [2a01:111:f403:c201::1]) by gmr-mx.google.com with ESMTPS id 41be03b00d2f7-c70b717d5a6si3371a12.1.2026.02.20.09.24.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Feb 2026 09:24:21 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) client-ip=2a01:111:f403:c201::1; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gaU6AhxjnVCs6tEX6Gw7OqFDDm3MlCW5QS2rAU2drKU8gFZKCSReVXhGHzqTmrYM/uV4whWYCzo/6tGGgcG3iyvMpubHDjRcrYwQpMFkxAtb5lPoIS7BXtwHdbuLXKSG+3lUZ6iAoqKoptUlGEcaG9BJYHMccnpNiCSDRVHDnz0XDrBE4vG8i1Mz6WkUoQ8eNN278LM3DvD0Xu/+oejoKBh6bE4x484G/qguFL4xFekxPSmqyXXsONT9GPC89hKMj5p8Y5C1UOvCZKtkQ9oaupdGWYtj0l8nH/KjkMvW3YSiOr53oNapyBOYBTGgTKugYeVco0eRIzgM+d0GM06DWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PtDDQJfTBQNN7vIum/vldMX4hYadYmy2pzU5qQPmnY4=; b=P8vnfQUrNCumUirWPTvfQkW64Yr0e0l9w+OI4nkLHxjWjNJS+ek3kjlENYcK4ObwCz70Dauo49St8sUAg8km5vbRY2giqI4jW/ksja4ZjpUsDGCtCkmayiTkCgxuqqJLAE7jPPN1oSJuhmIsLiPpT0p6pksLtGFUj6dvm2zW8kW4JQ+IRZPpPsOi3s0WRJqMyaZXEM/5dqxhUKH/pB+3CSxeCdH2v8m2rLvWW9HohdUUdmx+4lItbHbqGBxNk8yEgYv6s1JmdyMpIWa1+zasHMvUTaKikmA7aLJwGlv2MLVqNYMgOzpAqmHvihmPYR+a8mrTazDGMn4M2k3le8vmIQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by PRAPR10MB5345.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:297::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.15; Fri, 20 Feb 2026 17:24:17 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::be9f:e8ca:ee9:83e1]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::be9f:e8ca:ee9:83e1%6]) with mapi id 15.20.9632.010; Fri, 20 Feb 2026 17:24:17 +0000 Message-ID: <9abd0d92-26cb-4267-a225-b80100fcdd74@siemens.com> Date: Fri, 20 Feb 2026 18:24:16 +0100 User-Agent: Mozilla Thunderbird Subject: Re: [RFC v2 00/20] add support to build isar unprivileged To: Felix Moessbauer , isar-users@googlegroups.com Cc: quirin.gylstorff@siemens.com References: <20260220171601.3845113-1-felix.moessbauer@siemens.com> From: "'Jan Kiszka' via isar-users" Content-Language: en-US Autocrypt: addr=jan.kiszka@siemens.com; keydata= xsFNBGZY+hkBEACkdtFD81AUVtTVX+UEiUFs7ZQPQsdFpzVmr6R3D059f+lzr4Mlg6KKAcNZ uNUqthIkgLGWzKugodvkcCK8Wbyw+1vxcl4Lw56WezLsOTfu7oi7Z0vp1XkrLcM0tofTbClW xMA964mgUlBT2m/J/ybZd945D0wU57k/smGzDAxkpJgHBrYE/iJWcu46jkGZaLjK4xcMoBWB I6hW9Njxx3Ek0fpLO3876bszc8KjcHOulKreK+ezyJ01Hvbx85s68XWN6N2ulLGtk7E/sXlb 79hylHy5QuU9mZdsRjjRGJb0H9Buzfuz0XrcwOTMJq7e7fbN0QakjivAXsmXim+s5dlKlZjr L3ILWte4ah7cGgqc06nFb5jOhnGnZwnKJlpuod3pc/BFaFGtVHvyoRgxJ9tmDZnjzMfu8YrA +MVv6muwbHnEAeh/f8e9O+oeouqTBzgcaWTq81IyS56/UD6U5GHet9Pz1MB15nnzVcyZXIoC roIhgCUkcl+5m2Z9G56bkiUcFq0IcACzjcRPWvwA09ZbRHXAK/ao/+vPAIMnU6OTx3ejsbHn oh6VpHD3tucIt+xA4/l3LlkZMt5FZjFdkZUuAVU6kBAwElNBCYcrrLYZBRkSGPGDGYZmXAW/ VkNUVTJkRg6MGIeqZmpeoaV2xaIGHBSTDX8+b0c0hT/Bgzjv8QARAQABzSNKYW4gS2lzemth IDxqYW4ua2lzemthQHNpZW1lbnMuY29tPsLBlAQTAQoAPhYhBABMZH11cs99cr20+2mdhQqf QXvYBQJmWPvXAhsDBQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEGmdhQqfQXvY zPAP/jGiVJ2VgPcRWt2P8FbByfrJJAPCsos+SZpncRi7tl9yTEpS+t57h7myEKPdB3L+kxzg K3dt1UhYp4FeIHA3jpJYaFvD7kNZJZ1cU55QXrJI3xu/xfB6VhCs+VAUlt7XhOsOmTQqCpH7 pRcZ5juxZCOxXG2fTQTQo0gfF5+PQwQYUp0NdTbVox5PTx5RK3KfPqmAJsBKdwEaIkuY9FbM 9lGg8XBNzD2R/13cCd4hRrZDtyegrtocpBAruVqOZhsMb/h7Wd0TGoJ/zJr3w3WnDM08c+RA 5LHMbiA29MXq1KxlnsYDfWB8ts3HIJ3ROBvagA20mbOm26ddeFjLdGcBTrzbHbzCReEtN++s gZneKsYiueFDTxXjUOJgp8JDdVPM+++axSMo2js8TwVefTfCYt0oWMEqlQqSqgQwIuzpRO6I ik7HAFq8fssy2cY8Imofbj77uKz0BNZC/1nGG1OI9cU2jHrqsn1i95KaS6fPu4EN6XP/Gi/O 0DxND+HEyzVqhUJkvXUhTsOzgzWAvW9BlkKRiVizKM6PLsVm/XmeapGs4ir/U8OzKI+SM3R8 VMW8eovWgXNUQ9F2vS1dHO8eRn2UqDKBZSo+qCRWLRtsqNzmU4N0zuGqZSaDCvkMwF6kIRkD ZkDjjYQtoftPGchLBTUzeUa2gfOr1T4xSQUHhPL8zsFNBGZY+hkBEADb5quW4M0eaWPIjqY6 aC/vHCmpELmS/HMa5zlA0dWlxCPEjkchN8W4PB+NMOXFEJuKLLFs6+s5/KlNok/kGKg4fITf Vcd+BQd/YRks3qFifckU+kxoXpTc2bksTtLuiPkcyFmjBph/BGms35mvOA0OaEO6fQbauiHa QnYrgUQM+YD4uFoQOLnWTPmBjccoPuiJDafzLxwj4r+JH4fA/4zzDa5OFbfVq3ieYGqiBrtj tBFv5epVvGK1zoQ+Rc+h5+dCWPwC2i3cXTUVf0woepF8mUXFcNhY+Eh8vvh1lxfD35z2CJeY txMcA44Lp06kArpWDjGJddd+OTmUkFWeYtAdaCpj/GItuJcQZkaaTeiHqPPrbvXM361rtvaw XFUzUlvoW1Sb7/SeE/BtWoxkeZOgsqouXPTjlFLapvLu5g9MPNimjkYqukASq/+e8MMKP+EE v3BAFVFGvNE3UlNRh+ppBqBUZiqkzg4q2hfeTjnivgChzXlvfTx9M6BJmuDnYAho4BA6vRh4 Dr7LYTLIwGjguIuuQcP2ENN+l32nidy154zCEp5/Rv4K8SYdVegrQ7rWiULgDz9VQWo2zAjo TgFKg3AE3ujDy4V2VndtkMRYpwwuilCDQ+Bpb5ixfbFyZ4oVGs6F3jhtWN5Uu43FhHSCqUv8 FCzl44AyGulVYU7hTQARAQABwsF8BBgBCgAmFiEEAExkfXVyz31yvbT7aZ2FCp9Be9gFAmZY +hkCGwwFCQWjmoAACgkQaZ2FCp9Be9hN3g/8CdNqlOfBZGCFNZ8Kf4tpRpeN3TGmekGRpohU bBMvHYiWW8SvmCgEuBokS+Lx3pyPJQCYZDXLCq47gsLdnhVcQ2ZKNCrr9yhrj6kHxe1Sqv1S MhxD8dBqW6CFe/mbiK9wEMDIqys7L0Xy/lgCFxZswlBW3eU2Zacdo0fDzLiJm9I0C9iPZzkJ gITjoqsiIi/5c3eCY2s2OENL9VPXiH1GPQfHZ23ouiMf+ojVZ7kycLjz+nFr5A14w/B7uHjz uL6tnA+AtGCredDne66LSK3HD0vC7569sZ/j8kGKjlUtC+zm0j03iPI6gi8YeCn9b4F8sLpB lBdlqo9BB+uqoM6F8zMfIfDsqjB0r/q7WeJaI8NKfFwNOGPuo93N+WUyBi2yYCXMOgBUifm0 T6Hbf3SHQpbA56wcKPWJqAC2iFaxNDowcJij9LtEqOlToCMtDBekDwchRvqrWN1mDXLg+av8 qH4kDzsqKX8zzTzfAWFxrkXA/kFpR3JsMzNmvextkN2kOLCCHkym0zz5Y3vxaYtbXG2wTrqJ 8WpkWIE8STUhQa9AkezgucXN7r6uSrzW8IQXxBInZwFIyBgM0f/fzyNqzThFT15QMrYUqhhW ZffO4PeNJOUYfXdH13A6rbU0y6xE7Okuoa01EqNi9yqyLA8gPgg/DhOpGtK8KokCsdYsTbk= In-Reply-To: <20260220171601.3845113-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: FR0P281CA0052.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::20) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|PRAPR10MB5345:EE_ X-MS-Office365-Filtering-Correlation-Id: 615057b5-35a4-4084-7ba9-08de70a4e00b X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016|7142099003; X-Microsoft-Antispam-Message-Info: =?utf-8?B?RkNCUG10TXBpQjRpbC8zV2hEYkEwKzF2aER4YTVpVjlmbUd6VlJUUHJ6S2VP?= =?utf-8?B?dHlJS3F1TUF5M2hML2hIeUt6RDA2T25taFFnZWs0ZW1QUDBXRTAxb05Kazk1?= =?utf-8?B?RldzZXVBVFZxR3lGSFNramFIY0N2U0ZJS09XbkxRSDF3WkI5eWZ6U0VaWnhy?= =?utf-8?B?aTdFOXRKNGE4NDljRHdpS2F0NUlLLzEwcGhSSG55UWlKTmphUVY3b3owWHZE?= =?utf-8?B?MEVLekV0UzVwV2lnSUtDOGlJSEEzaDZqOWNKd21PY01oT3ZwVndJamU3RXUv?= =?utf-8?B?azJqSlMwZTNGckgxWklDM3RzeFB1eFJmSHBFK2FpWGF2bTdwNXNBRTExWUFM?= =?utf-8?B?MDJDTEZObkQyb1ppc3ljTjk1cTF0UlQxOHZ3WEFnVm0wL2RERURmRWFoN2Zq?= =?utf-8?B?RkJDOVhOVUpMWTdJY3pjeVZIWVBzVTM5WEUwc3NjRUhPc0hScklabGpJR1VF?= =?utf-8?B?ak5nd2U0a2p4QVVWZytzVFN4TndLckxiVVA1eGp2NlNMMitkTE04N2sxa3pz?= =?utf-8?B?Q284Y1RNQXowZ1hJei9rcElxR09xZ2Eyc2I2OGNCTjdxb3FuNFhONmlNTXZx?= =?utf-8?B?bW8yMDV6YXlaaWN5aXJJUjQxdFp5Tyt4S0h6RUxRSW9JUDdiOUtKZjhqb0RX?= =?utf-8?B?aEJsQjRJMktwN1BjU3NFYU9BSzFuTWFNcDV5RjhlZW1pRE02M2RrWEJNZm5j?= =?utf-8?B?UXlWRUlqQXB3TzBMK0pTaWFKKzRxcjRtZ2R3Y28yU3hzNklHOG1aZWM5Vktt?= =?utf-8?B?UzBubi9xdm1TNTVoY0xoRE1DbzJ3N2RycEVzOWxlUUkxV3pHczZVTjFpUjhp?= =?utf-8?B?M3grMXpQa012OUlQMC80TE8wNlJ6bWd1Wnl3OUp4NVl4OFQzZXhhdnZFOFN2?= =?utf-8?B?MWc0b3BoalJjdHVrbmZ0Y3VhNGF0OEo3a2VGdVE0a3NBcDV4dElHMU9iZS8y?= =?utf-8?B?NEQ4TUc2dHlGUXNwVXYvK3Z3NFlZU3hPeDZSZGdOc2xnVktva2ZjYm1nNE5m?= =?utf-8?B?WWVNSkRwb0wwNEh4citTa25xS1RDZFFJMWRWTUZVMG9KY0x1WXJiTTFuWnF2?= =?utf-8?B?VnU2cEszaW43Tk5FQ1dYWEVDQWtYQkRBdmxpRFNMVnhrRTd5eGt2UnpRUXF4?= =?utf-8?B?NzNrOHN3RWJBZ09pR0NQcHRIR1VZaStkYU5Rc3R6aG8xb2VDUmo2Z3Yza25t?= =?utf-8?B?VVJRRkZKNEpGQzE0ZDhON1BMemllazFCWTlNRGFzdnZqWURpQzBFdHVzV0lG?= =?utf-8?B?V1VxREY0dmdHM3E0MjVGVnBsaEZRSUlBUlBKUkloM2V1Rno2ekNWWGtwRldI?= =?utf-8?B?c2FXRmZoLytuVGhJVTZDc1FBZXh1K2tkZmEyZXU3WThXK0NkaGJuZXk3Rzli?= =?utf-8?B?cXR6SXpVQmJudXB0bUlGbU0vTXd2aUgwZVNGMXYwS1UvT0U2Z0pIQ3NoaVNC?= =?utf-8?B?R0Z1UnVqVk1yWFhTVVhiQXBwbkkyYU5YWmFMS1BBVUY5YTFBV3RzdTFlbElT?= =?utf-8?B?MjFBZ2tndTdSb3JZa0JqZHBDV21XaDArTVZSMmVPQkl6dGh0OWZNMXd0eFcy?= =?utf-8?B?bVNQNTl0N3hoR2FKS0FaaCtjVHRoL3RwcWlVaWptQWdPclA1Mkc5ck51bVVL?= =?utf-8?B?MmJBeVZ4RmF4Qk5MVU1YcXFEY2hSMEx6ZHRwRGhacWxxUzFoTUhKQUVxVy9w?= =?utf-8?B?R01mbGY5R1R0V3JQZHhtN1hHWDFqdFZFSVh1QXVzaHZVZnpGdEY3TUxjQmZI?= =?utf-8?B?ZGw4VW10SmY2Nk1iMmZnVnFoK2o2dWQ3NUZQMDExRHlacHhjRnRyODYrTVlx?= =?utf-8?B?TzRDRlVnakYwaTBpV1hwK2s0UnRnNnZFWW9RNGFRRFN0Snd6YURTZWd6dnRo?= =?utf-8?B?VDNQMHRqYjJSSnl6V2kxUFBDbUhDSDFRUHVvUStha2x1UUErK1BlZ21HUnZR?= =?utf-8?B?N2c1VkFGUTBxOUV2YnhhQ3EyUC9aVlZIcWtTVEFtMW9HWU1Rei9xTVFhMjFQ?= =?utf-8?B?SnNFaU5IamVFUkYvMFdQR1hEUzhIcjhFNzlWSlhhMnJYT0I5UkNXVHE0aEZL?= =?utf-8?B?SUhkYXdjWWJ4ZnNIYkphdVlIeUprck5rMVFEMHpsSWRXY3JJR2hPT0dsT1Fr?= =?utf-8?Q?xUWg=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(7142099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?cVhlcUxkeXpTV1hjNnRoYXFrYlpWdGYvbXEyUU90RDh3ZjY2WUVCU3huSW5V?= =?utf-8?B?b1hzdm9WYnl6RmRTMVVhaTEwZGZXbzhpSi9razFhNEdOVGpkSlVUd1NVSysw?= =?utf-8?B?bFdGSEhPUkoyaUhOVzZXTHhES01XUGtycXZUMTJsOHRrZEV3UHMvVGhjbVVN?= =?utf-8?B?NkZYRlNaVXNxWXNxcmE0ekJKMXNvazMram9JVjFNcXZ5d05OVzZQcFFKcElm?= =?utf-8?B?L2xCTUZQZC9qT2Y3K2VOR3lIOE04ajQ3NWl5VXdGR1hYazNiY2tNSTBiVmlI?= =?utf-8?B?cEg2eXdKd1Z1SHNvSERFTlpDSmhZNDZMYkM0aHVVNVJIamZTNEVORjJ0S2sz?= =?utf-8?B?b3ozeklIY09YZmtPUWNnam5KY2dzV081eGQyUzhOZzVYVlVQZytRdFlsSEVD?= =?utf-8?B?SWZPUy80RzluNVlNRGRjV1QreWxOdmNvM1N3M0JmU0M1cEtnQW5HRzFJMTdp?= =?utf-8?B?SGxhcTVQakg5dytKa2Y4U21iUDZlSW52dTFYaTEwK1JiMElPNzJ0ZjRLc2hs?= =?utf-8?B?dldoSmxXVTFsdGNpb3lYYlB1ZTRoZTlNRlF0RHVrcHJlU3gzTGIzNGgxMDQ2?= =?utf-8?B?VmJvVEZvemJmNzBJWmZaY3gwRTNaSUlvNkhETm01eGEyYVBQdmJVYm9ITTFh?= =?utf-8?B?ZDAyc25jR1h5VXVQaDlRdDBORUN4Y2w1MFRUbEN2RzBOSUN2ZzNEdlNxUWlM?= =?utf-8?B?RXZZS0lhdFhrRDdWS2RiSkRYRGh4WGI0SlhxUEgvMnI3UzJkd01YNmFqWkVt?= =?utf-8?B?ZEM4Tm1nbmFBQ21kSnNWQXRkeFBEQ3BDZkRuWjJZTEJoTmZVeGsxVGlkdVdP?= =?utf-8?B?MzhjQUZLSFp2RHN3UGl3QzZacloxQ3JmT2RsV2NNSHRXYlZ5bHpEbGh3MmZm?= =?utf-8?B?Q1VSTW9KM0daSHRNdWM3TDhXY2tENVFPWkRJVXlPMzNjNmlJSGpIZTRZV2Vx?= =?utf-8?B?b0FZcTVJQ2FXTlE1ZlBwUTNMVEp5Nmp1aExRbjZyQ1ptaXkvM1RycmNBaSsw?= =?utf-8?B?b0h5b0xQRHdHa0ZvRU1NZjlFRXpoNGNsbkp0b0ZneThLN0h4ZjJ0VWo5dkY4?= =?utf-8?B?QmFvMThablM2c3VRUFJNMTVXYnJmWXY5ZEQ4NzEraWNLRGZ3Qy83VzJhcmc1?= =?utf-8?B?Q0NzaDhIUlBnVTVYRTdMakhaNi9rd2RUSTFHWkNXQjZWSGN1VjRUWnhDMnJK?= =?utf-8?B?bnd0UGxnVXYzSzlBdEllSW1zZHZRcGplN1RlMlhLd29Obm5tUHNtTmxScm10?= =?utf-8?B?OCt4MlQ1SXgzU0EybGNnM2N1eWRvY1lXUFlyNnRSdC93ZzlIWVNJcGYrU3hM?= =?utf-8?B?UllNZCtHZzE3bHR5a1U5bER1cFR4amVZRCtuSWxVb2YvTk5HaCsvN1lRNFZO?= =?utf-8?B?RXdtNlJ3cngvOXUzQW9jd2FSNnNWK3B0RnMxMHZ5a284LzFPVVF5MlBLbXhU?= =?utf-8?B?bEJDeHFnT3M4Q0JNQjRzeGlvVHdmWmVQbk5GVWNWY2JXVGl3Uk15SVJ1OXRH?= =?utf-8?B?eXplb0xBLyt3MTJWVFNzTlBoYS94eDFVbDNidEFOMUJZc08vUjhveGlVYkV3?= =?utf-8?B?c1hRblA4ZWlRUDlxRE1vaEROVHNpQzd4U3I5L2ZmMFJYREZDUWhlcDdKZTVm?= =?utf-8?B?aU1LekVEOFJNclNwcHkrU3hmNUxYWUlNUzZQWndUQ1dqNXNiTFUwdnBKaWJQ?= =?utf-8?B?YlVrdW51aVVvVmdoWE5mSkRpU3VZTFFZZ2YrclQyWUZWK2pSRnd2R21GbEVv?= =?utf-8?B?aGl1bEhyTjEyOHQ4WjRlYkcxbjdwcVRjRloyeHRnbHhBRDR1RXREMFo0bS91?= =?utf-8?B?UlZuUk5UMVBYWXdWQ3ZNdHhJYm8zUENJRjdHVlNFS1NRRHhTMUxodUJYdTRX?= =?utf-8?B?OGJWZEJOZFpNU0xaMmJuVW1Mc215Wk5VZkR2QjJPNnlYUVY3ZldXZVp3ZTlo?= =?utf-8?B?WTZZYzFBS3RUdHBuRWRackMrU0pMWmN3OElXcXVYSkZmS0J2VU5UOUhhYkdn?= =?utf-8?B?WXIvSnV3SkUzeGZDNURxajRGWGY3bDJnZ2NqSTdOc2RRQVNmVFdNakVuM1kw?= =?utf-8?B?N3E5MEFLNXZIR2l0NUJ3VDZUV01lcUVtWW1uRmZuc1JIdHhOSS9NWTZJS20r?= =?utf-8?B?SmtLRy9rR2M0b0dseGRRNm1UWEo3WnYrRzA5aDRnK3Y0VHJwZklzS3dpR25M?= =?utf-8?B?V3dtZGgwcXhRcEM5aHNodGhqM0VOVS95bTg2V3dRclBKUkV3Y0k2Z1VHT1JK?= =?utf-8?B?b3dheDdrYXhTNWYvTmR3NkVBZGpLdzY0b01RNTcwTkh3WDVHVzBFR1NrOTdI?= =?utf-8?B?S2RJUzFLMXVBSWdXcFNOZ09MYWJXcnJBS2FtVHdNVmZ2ZU44L3hkZz09?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 615057b5-35a4-4084-7ba9-08de70a4e00b X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2026 17:24:17.0016 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: gu88biO8wc9qEh4XkxojecAWtecEtwuXJmio9STMjSnyt6TrGFeZGkigoXpRZ77IH83grb0P8VqatMkg8fp1bA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PRAPR10MB5345 X-Original-Sender: jan.kiszka@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="u0HF/dcb"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Jan Kiszka Reply-To: Jan Kiszka Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: Sodb1rfejNoK On 20.02.26 18:15, Felix Moessbauer wrote: > Dear isar-users, > > currently isar requires password-less sudo and an environment > where mounting file systems is possible. This has proven problematic > for security reasons, both when running in a privileged container or > locally. > > To solve this, we implement fully rootless builds that rely on the > unshare syscall which allows us to avoid sudo and instead operate in > temporary kernel namespaces as a user that is just privileged within > that namespace. This comes with some challenges regarding the handling > of mounts (they are cleared when leaving the namespace), as well as > cross namespace deployments (the outer user might not be able to access > the inner data). For that, we rework the handling of mounts and artifact > passing to make it compatible with both chroot modes (schroot and > unshare). > > The patches 1-10 align the file permissions of deployments and artifacts > to avoid the use of chown (which will not work anymore across uid > boundaries). In addition, helpers are introduced to perform privileged > operations, which simplifies the migration of existing layers. > > The patches 11 and 12 introduce the unshare mode, which can be executed > as a normal user and does not require root. To enable this mode, set > ISAR_ROOTLESS = "1". > > While the series is by far not complete yet, it already passes the DevTest > CI. Know issues are currently: > > - no support for VM and container images Reading the changelog below, I guess this line is obsolete, right? > - unprivileged cleanup of the build/tmp dir is non trivial ... but has scripts/isar-clean-builddir now. > - sporadic issues on partial rebuilds on rootfs_install_sstate_finalize > - interfaces between kas and isar need to be defined > > Note, that this series can be tested on a custom kas-container build > provided in [1]. Hints how to migrate downstream layers are provided > in the API changelog. > > Changes since RFC 1: > > - switch build_type to isar-rootless in isar.yaml (Note: switch back > if testing locally in a unprepared kas container) > - complete overhaul of the mounting in unshared namespaces > - fixes the systemd presetting > - fixes hangs when pulling from snapshot mirrors > - rename the run_privileged_here to run_privileged_heredoc to clarify its intention > - add support for > - dpkg-source with do_fetch_common_source > - vm images > - container images > - discoverable disk images > - add helper script to clean build dir in unprivileged mode > - reduce clutter we leave after finishing a build > - fix issues when running in a privileged environment without sub user ids > - bugfixes > > Still missing is the support for the devshell. Further, the rootless build dir > must not reside in a git worktree (a normal git dir is fine). This is probably a > bug in combination with kas-container. > > [1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg > > Best regards, > Felix Moessbauer > Siemens AG > > Felix Moessbauer (19): > refactor bootstrap: store rootfs tar with user permissions > deb-dl-dir: export without root privileges > download debs without locking > introduce wrappers for privileged execution > bootstrap: move cleanup trap to function > rootfs: rework sstate caching of rootfs artifact > rootfs_generate_initramfs: rework deployment to avoid chowning > wic: rework image deploy logic to deploy under correct user > use bitbake function to generate mounting scripts > apt-fetcher: prepare for chroot specific fetching > add support for fully rootless builds > add helper script to clean artifacts in build dir > apt-fetcher: implement support for unshare backend > vm images: make compatible with rootless build > ddi image: convert to two stage deploy > container images: make compatible with rootless build > dpkg-source: implement multiarch support for unshare backend > rootfs: remove temporary sstate deploy directory after task execution > use copy of sbom-chroot for sbom creation > > Kconfig | 2 +- > RECIPE-API-CHANGELOG.md | 58 +++++ > doc/user_manual.md | 2 + > kas/isar.yaml | 2 +- > meta/classes-global/base.bbclass | 132 +++++++++++ > meta/classes-recipe/deb-dl-dir.bbclass | 20 +- > meta/classes-recipe/dpkg-base.bbclass | 20 +- > meta/classes-recipe/dpkg-source.bbclass | 42 +++- > meta/classes-recipe/dpkg.bbclass | 16 +- > .../image-account-extension.bbclass | 4 +- > .../image-locales-extension.bbclass | 13 +- > .../image-postproc-extension.bbclass | 30 +-- > .../image-tools-extension.bbclass | 96 +++++++- > meta/classes-recipe/image.bbclass | 24 +- > meta/classes-recipe/imagetypes.bbclass | 47 ++-- > .../imagetypes_container.bbclass | 37 ++-- > meta/classes-recipe/imagetypes_ddi.bbclass | 8 +- > meta/classes-recipe/imagetypes_vm.bbclass | 29 ++- > meta/classes-recipe/imagetypes_wic.bbclass | 12 +- > meta/classes-recipe/rootfs.bbclass | 205 +++++++++--------- > meta/classes-recipe/sbuild.bbclass | 36 ++- > meta/classes-recipe/sdk.bbclass | 22 +- > meta/classes-recipe/squashfs.bbclass | 2 +- > meta/classes/sbom.bbclass | 29 ++- > meta/conf/bitbake.conf | 7 +- > meta/lib/aptsrc_fetcher.py | 90 +++++++- > .../isar-mmdebstrap/isar-mmdebstrap.inc | 47 ++-- > .../sbom-chroot/sbom-chroot.bb | 11 +- > .../sbuild-chroot/sbuild-chroot.inc | 24 +- > scripts/isar-clean-builddir | 73 +++++++ > .../unittests/test_image_account_extension.py | 9 +- > 31 files changed, 886 insertions(+), 263 deletions(-) > create mode 100755 scripts/isar-clean-builddir > Let's try again... Jan -- Siemens AG, Foundational Technologies Linux Expert Center -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/9abd0d92-26cb-4267-a225-b80100fcdd74%40siemens.com.