-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 23/03/2015 18:48, Eric Blake wrote: >> Why can't libvirt just add ,format=raw instead of leaving out the >> format key altogether? > > Libvirt DOES add format=raw. This patch is an extra insurance > policy to guarantee that libvirt does not have any code paths that > omit the explicit format (as we have had a couple of CVEs in > libvirt over the years where that was the case). And where's the extra insurance policy to guarantee that QEMU does not have any code paths that ignore the new command line option? This is really borderline security theater. Bugs happen, we fix them. Even better, Kevin now has implemented a strong mitigation for CVEs like this, that won't allow guests to transmute a probed raw image into another format. There certainly hasn't been enough discussion for this to get into 2.3. Paolo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVEFJ+AAoJEL/70l94x66D/OEH/1j58fDg1W8XBjtaGQ12YsL6 HLKYaU2ObaxY3m5sX+mlMr1ftn/5kQnwVC7xx88xDCq/UG+GuSBRrT+SbxZtkdl4 SM9d0fATaK3yC0o0q3SWXeURAvi0bVOEoGqdpvwgrgGTcGkZPzsh9TwQySkupa8J mQns/HTF3b7JWJvoVCseTOP99Hq+6+2DmWFbzyfisah/f2nlgNhPULSj0KZQmWxP dMHPn9PG3NXV3E/xelTXWsMDuJKnnMu3w5MbULbNYDkwJe2f5bBOl6/AV4zqHZ5U 49Ewb1Mdcw+6r3aro2kCQ3wEYKnEpLb/Mb6Lj/i6OUXbA+0TlBWX906BBze+6SI= =BWO8 -----END PGP SIGNATURE-----