Re: [libvirt] [PATCH 2/4] configure: Make ACL mandatory when building the QEMU driver
On Tue, Feb 14, 2017 at 05:47:27PM +0100, Andrea Bolognani wrote:
On Tue, 2017-02-14 at 16:20 +0000, Daniel P. Berrange wrote:
> > On the other hand, we really only care about having the ACL
> > APIs when we are isolating QEMU, which only happens of Linux
> > due to the namespaces requirement... So maybe we could have
> > it as a strict requirement on Linux only, and as an optional
> > dependency on other platforms?
>
> IMHO it'd be better to just disable the namespace code at build
> time if we don't have libacl rather than adding mandatory build
> deps.
I'm afraid that might lead to people forgetting to install
libacl-devel[1] on Linux and ending up with less security
than expected / desired as a result.
You can make the same argument about many other libraries we have
optional dependancies against, libcapng, libselinux, apparmour,
etc.
Our general policy is for libraries to be optional and I don't
see a reason for this to be a different case
[1] I know I did while trying to figure this bug out ;)
If we disabled namespace support when libacl is missing at
build time you would have noticed quite quickly that you
weren't using namespaces.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|