
On Fri, May 05, 2023 at 02:04:01AM -0700, Andrea Bolognani wrote:
On Thu, May 04, 2023 at 02:21:57PM -0400, Laine Stump wrote:
On 5/4/23 4:33 AM, Andrea Bolognani wrote:
I don't think we need the BuildRequires, or the build time detection, at all. Just
#define NFT "nft"
in the relevant file and be done with it. We'll locate the binary at runtime, same as we're doing with most of them already.
Are we? What's the huge list of "optional programs" in meson.build then?
Leftovers, that I intend to clean up At Some Point™ :)
I don't have any problem with doing all binary-location at runtime, as long as we don't think there's any potential security problem / bug that could arise from having a different binary with the same name added in some place earlier in $PATH
If some malicious actor can alter root's $PATH, or inject binaries into it, it's pretty much game over already.
(is that why we started canonicalizing binary paths during the build?)
I think it was done more for feature detection purposes, e.g. only enable the network driver if ifconfig is present or something.
But that gets in the way of packagers, who usually want to explicitly enable/disable features anyway and to build in a minimal environment. It also assumes same-host deployment, and locks the configuration too early (what if I install ifconfig after building libvirt?).
Runtime detection has some drawbacks too, but overall is more flexible and we've been moving in that direction.
Maybe we also want to turn the iptables dependency into a Recommends? That way you will be able to uninstall it for a pure nft-based setup.
I was being ultra-conservative about the change, making it opt-in for the distros for now at least. But I'm also fine with making it opt-out
I believe Dan argued for the nft backend to be made the default where possible. I generally agree that we should adopt forward-looking defaults whenever that can be done without breaking existing users.
Anyway, regardless of which one of the backends ends up being the default one, maybe *both* nft and iptables should be Recommends? That way you'll get both installed by default, but you'll be able to drop the one that you're not using if you're aiming for a minimal deployment.
Fedora has used nft kmod since at least Fedora 32 IIRC. While you could potentially unload it and load the iptbles kmods I expect the users doing that are minimal if any. Even if someone is doing that, I see no reason why we can't exclusively have Requires: nft, and ignore iptables as far as deps are concerned. The only "downside" is that someone who has done the edge case of revertnig to iptables will have a redundant 'nft' userspace package installed. I think that's totally acceptable for such a niche edge case. Same for RHEL >= 9. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|