Philip Boulain wrote:
Yikes. I like the intent, but the idea of a previously just-data file
format suddenly being able to imply "-hdb fat:rw:/home/" does not
strike me as a good one. :/
This is why directly executable is important so that the user realizes
they must trust the image.
andrzej zaborowski wrote:
Yes, the file format starting with "#! /path/to/qemu" is a much better
idea...
That should probably be "#!/usr/bin/env qemu", or something similar,
if the intent is that "self-executing" image files are mostly
zero-effort portable across (UNIX-y) host environments.
I think the magic should just be "#!". Whatever you put as the QEMU
executable is your choice. Separating the args to the next line
actually does make it pretty portable. See my previous post as to how
it would work under Windows.
Anthony Liguori wrote:
The disk image is directly executable and it makes it very clear to
the user that they have to trust the disk image.
Only if qemu only read the embedded arguments in the case where it was
executed as a script interpreter for the image, and/or only if the
image's execute bit is set. In other words, this should prevent
embedded arguments from being used:
$ chmod -x dubious-image.qcow2
$ qemu -hda dubious-image.qcow2
Yes, I think that another argument should be required as Dan suggested
although I'd like something more explicit like "-read-args-from-image".
In the case where the image was directly executable, it would be
embedded as part of the interpreter arguments.
This also doesn't apply outside of UNIX-like environments, e.g.
Windows; if someone had told Explorer to launch image files as
"qemu.exe -hda (image)" (which is as close to shebanging a data file
as you can really get), this could really be a nasty surprise.
I think this is covered by requiring the additional argument.
Regards,
Anthony Liguori
LionsPhil
