juergbi commented on issue #1974: URL: https://github.com/apache/buildstream/issues/1974#issuecomment-2507473329
I don't think there is anything conceptually wrong with using FUSE in a sandbox. However, I would certainly avoid the problem space if there is an alternative, and requiring `CAP_SYS_ADMIN` makes it a more problematic. Since Linux 4.18, the namespace-restricted `CAP_SYS_ADMIN` should suffice but it's still a significant increase in kernel API surface and I think, if we were to support it, adding `CAP_SYS_ADMIN` should require an explicit, separate platform property, not implicitly be enabled via a FUSE option. It also means that it won't be possible to support FUSE without changes in BuildBox. Changing buildbox-run-bubblewrap to not pass `--cap-drop ALL` to `bwrap` might do the trick. @jbleonesio Have you considered using 7z or the library provided by darling-dmg to extract the .dmg instead of FUSE? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
