On Tue, 2017-02-14 at 16:20 +0000, Daniel P. Berrange wrote:
On the other hand, we really only care about having the ACL APIs when we are isolating QEMU, which only happens of Linux due to the namespaces requirement... So maybe we could have it as a strict requirement on Linux only, and as an optional dependency on other platforms? IMHO it'd be better to just disable the namespace code at build time if we don't have libacl rather than adding mandatory build deps.
I'm afraid that might lead to people forgetting to install libacl-devel[1] on Linux and ending up with less security than expected / desired as a result. Moreover, we're talking about a package which is literally 35k in size: I would be way more inclined to pay the price in increased code complexity if we were not dealing with what will basically end up as a rounding error on any reasonable hypervisor host. Not to mention systemd depends on it, so it will be part of the core package set on most modern Linux distributions. [1] I know I did while trying to figure this bug out ;) -- Andrea Bolognani / Red Hat / Virtualization