1 |
On Thu, May 15, 2014 at 4:12 AM, Thomas D. <whissi@××××××.de> wrote: |
2 |
|
3 |
> Hi, |
4 |
> |
5 |
> Ryan Hill wrote: |
6 |
> > Probably best to make FEATURES=distcc disable network-sandbox |
7 |
> > then. People enabling it are explicitly saying they want to access |
8 |
> > the network. |
9 |
> |
10 |
> Do you really think it is a good behavior to automatically disable |
11 |
> something you can call a "security feature"? At least there should be a |
12 |
> warning, not? |
13 |
> |
14 |
|
15 |
I think you are reading much further into Ryan's statement than he intended. |
16 |
|
17 |
|
18 |
> |
19 |
> Think about situations where the user just know "network-sandbox is |
20 |
> important, because it will protect my system from unwanted |
21 |
> modifications" (the thing where the test suite for example will write to |
22 |
> the local, productive, database server...) and therefore explicitly |
23 |
> enable that feature by hand. |
24 |
> |
25 |
> But the user is *also* using distcc to speed up the compilation/update |
26 |
> time in his/her network. |
27 |
> |
28 |
> The user maybe knows that distcc is using network, but he/she might be |
29 |
> surprised that it won't work together with the network-sandbox feature. |
30 |
> If we now silently disable network-sandbox because the user also set |
31 |
> distcc he/she might be even more surprised when he/she noticed that |
32 |
> his/her local productive database system was accessed by emerge though |
33 |
> he/she enabled network-sandbox feature to prevent this (but which was |
34 |
> automatically disabled without a warning). |
35 |
> |
36 |
> Because it is security relevant and the impact could be a real problem I |
37 |
> won't even show just a warning the user could miss. If network-sandbox |
38 |
> *and* distcc are both set, emerge should fail complaining about the |
39 |
> problem. |
40 |
> This is something the user should be aware of and must be solved by hand. |
41 |
> |
42 |
> So if we decide to enable the network-sandbox feature by default (which |
43 |
> we should do), users also using distcc must take action. |
44 |
> |
45 |
> And if in future we will solve the problem so that both features can be |
46 |
> used together, we should send out a news item for people using the |
47 |
> distcc feature telling them "Now you can re-enable (the default) |
48 |
> network-sandbox feature"... |
49 |
> |
50 |
> |
51 |
> -Thomas |
52 |
> |
53 |
> |
54 |
> |