On Tue, Feb 14, 2017 at 05:47:27PM +0100, Andrea Bolognani wrote:
On Tue, 2017-02-14 at 16:20 +0000, Daniel P. Berrange wrote:
On the other hand, we really only care about having the ACL APIs when we are isolating QEMU, which only happens of Linux due to the namespaces requirement... So maybe we could have it as a strict requirement on Linux only, and as an optional dependency on other platforms? IMHO it'd be better to just disable the namespace code at build time if we don't have libacl rather than adding mandatory build deps.
I'm afraid that might lead to people forgetting to install libacl-devel[1] on Linux and ending up with less security than expected / desired as a result.
You can make the same argument about many other libraries we have optional dependancies against, libcapng, libselinux, apparmour, etc. Our general policy is for libraries to be optional and I don't see a reason for this to be a different case
[1] I know I did while trying to figure this bug out ;)
If we disabled namespace support when libacl is missing at build time you would have noticed quite quickly that you weren't using namespaces. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|