| 1 |
On Thu, May 15, 2014 at 4:12 AM, Thomas D. <whissi@××××××.de> wrote: |
| 2 |
|
| 3 |
> Hi, |
| 4 |
> |
| 5 |
> Ryan Hill wrote: |
| 6 |
> > Probably best to make FEATURES=distcc disable network-sandbox |
| 7 |
> > then. People enabling it are explicitly saying they want to access |
| 8 |
> > the network. |
| 9 |
> |
| 10 |
> Do you really think it is a good behavior to automatically disable |
| 11 |
> something you can call a "security feature"? At least there should be a |
| 12 |
> warning, not? |
| 13 |
> |
| 14 |
|
| 15 |
I think you are reading much further into Ryan's statement than he intended. |
| 16 |
|
| 17 |
|
| 18 |
> |
| 19 |
> Think about situations where the user just know "network-sandbox is |
| 20 |
> important, because it will protect my system from unwanted |
| 21 |
> modifications" (the thing where the test suite for example will write to |
| 22 |
> the local, productive, database server...) and therefore explicitly |
| 23 |
> enable that feature by hand. |
| 24 |
> |
| 25 |
> But the user is *also* using distcc to speed up the compilation/update |
| 26 |
> time in his/her network. |
| 27 |
> |
| 28 |
> The user maybe knows that distcc is using network, but he/she might be |
| 29 |
> surprised that it won't work together with the network-sandbox feature. |
| 30 |
> If we now silently disable network-sandbox because the user also set |
| 31 |
> distcc he/she might be even more surprised when he/she noticed that |
| 32 |
> his/her local productive database system was accessed by emerge though |
| 33 |
> he/she enabled network-sandbox feature to prevent this (but which was |
| 34 |
> automatically disabled without a warning). |
| 35 |
> |
| 36 |
> Because it is security relevant and the impact could be a real problem I |
| 37 |
> won't even show just a warning the user could miss. If network-sandbox |
| 38 |
> *and* distcc are both set, emerge should fail complaining about the |
| 39 |
> problem. |
| 40 |
> This is something the user should be aware of and must be solved by hand. |
| 41 |
> |
| 42 |
> So if we decide to enable the network-sandbox feature by default (which |
| 43 |
> we should do), users also using distcc must take action. |
| 44 |
> |
| 45 |
> And if in future we will solve the problem so that both features can be |
| 46 |
> used together, we should send out a news item for people using the |
| 47 |
> distcc feature telling them "Now you can re-enable (the default) |
| 48 |
> network-sandbox feature"... |
| 49 |
> |
| 50 |
> |
| 51 |
> -Thomas |
| 52 |
> |
| 53 |
> |
| 54 |
> |
Archives