[Fedora-livecd-list] Welcome Pilgrims, please don't take our land...
Jane Dogalt
jdogalt at yahoo.com
Mon Sep 25 23:20:30 UTC 2006
--- David Zeuthen <davidz at redhat.com> wrote:
>
> On Thu, 2006-09-21 at 20:57 -0700, Jane Dogalt wrote:
> > Certainly your writing your own installer seperate from anaconda
> can
> > give you a better feeling that tons of code isn't being run as root
> in
> > a way that it wasn't really designed (well) from the ground up to
> do.
> >
> > But the other major thing is general security. If it wasn't code
> that
> > you had written yourself, how comfortable would you feel trying to
> use
> > your main workstation to generate a custom livecd (when it's
> churning
> > away in root-mode for hour/s)?
>
> Probably not very comfortable. Then again, we all run pretty security
> sensitive code but normally that have been vetted by several OS
> vendors.
>
> I rarely run random code as root that some dude sends to a mailing
> list
> without reading it through.
Thats an obvious issue, but even if I had all the trust in the author,
I'd still be trusting all of those %pre/%post scripts, and whatever
other stuff, as root. I know redhat/fedora have relatively stellar
quality control (I actually mean that), but still, I'd much rather run
those hundreds of pre/post scripts and whatnot from extras or less
vetted repositories, in a container as you say.
> > If my project is successful, I forsee people feeling much more
> > comfortable doing a -
> >
> > (as root) yum install vsys (or local per user root-less install)
> > (as user) vsys generate liveiso \
> > --config=mediacenter_appliance.xml \
> > --addpackages=myfavoriteeditor,meld \
> > mylivedvd.iso
>
> Yea. Using some kind of container (qemu, xen, whatever) / jail (e.g.
> chroot) is probably a good idea. I don't see that being hard to add
> to
> pilgrim, though, the container approach raises an interesting Chinese
> Box paradox: how do you build the container in the first place? :-)
I'm a bit fuzzy on your philisophical allusion, but I'll posit a couple
of answers, which may or may not have anything to do with your point-
1) cryptic riddle answer: (use '-snapshot -hda X -hdb Y' | X==Y)
2) project genesis:
- how do you build the container? - presumably an almost unanswerable
bootstrapping issue, but my answer-
- take fc5 for now, make a lower order bootstrap later if
desired
- I.e. what I want to see:
yum install vsys
vsys generate liveiso -config=fc5_genesis.xml fc5genesis.iso
qemu-img create /tmp/fc5stuffs.img 50G
qemu-img create /tmp/scratcharea.img 50G
qemu -boot d -hda /tmp/scratcharea.img -cdrom fc5genesis.iso
tar tvzf /tmp/fc5stuffs.img
which utilizes only for input an implicit connection to the fc5 normal
installer dvd and source iso images (or simple http/ftp tree thereof)
and after some period of time (week?) ultimately produces the following
output
./fc5-x86_install_dvd.iso
# (binaries compiled from scratch, using bootstrap of orig fc5
binaries)
./fc5_sources_dvd.iso
# if you really want to get crazy and add 2 weeks of build time
./fc5-ppc_install_dvd.iso
(and/or simple http/ftp tree thereof).
(and by install_dvd, I mean the things fedora/redhat ships today)
(and if you want to add another few days of build time, you can include
a set of regression tests against the install_dvd.iso's, by
qemu/container booting them before shutting down to tell the user the
output is ready. And of course all this can churn away happily on a
headless server farm... bwa ha ha ha....)
-dmc/jdog
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Fedora-livecd-list
mailing list