Hi, On 2/1/21 8:04 PM, Paolo Bonzini wrote:
Il lun 1 feb 2021, 22:15 Wainer dos Santos Moschetta <waine...@redhat.com <mailto:waine...@redhat.com>> ha scritto:Not too long ago (QEMU 5.0) it was possible to configure with --disable-tools and still have virtiofsd built. With the recent port of the build system to Meson, it is now built together with the tools though. The Kata Containers [1] project build QEMU with --disable-tools to decrease the attack surface---enable-tools only adds separate executables, therefore it can't add to the attack surface of the emulators. So this is misleading.
You are right, Paolo, thanks for the comment. I meant to say the project avoid installing unneeded binaries on the system, extra files which may be subject to CVEs and force a sysadmin to handle them. I hope this clarifies my point.
Thanks! Wainer
That said, it does make sense to let --enable-virtiofsd override --disable-tools, and the same in the other direction too.Paolo Side note: in a private chat with Stefan Hajnoczi he come up with the idea that perhaps --disable-tools could be like --without-default-features where one can add back on feature-by-feature basis. This is outside the scope of this series but I thought in sharing because IMHO it is deserves a discussion. [1] https://katacontainers.io <https://katacontainers.io> Wainer dos Santos Moschetta (1): virtiofsd: Allow to build it without the tools tools/meson.build | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)-- 2.29.2
