Francois Gouget wrote: > On Mon, 8 Sep 2008, Ambroz Bizjak wrote: > >> Hi, >> >> I've abandoned my chroot aproach to improving security in patchwatcher. >> Instead I've implemented the ability to run untrusted code as a user >> different than the one running patchwatcher. This is because creating a >> chroot where Wine could be compiled and tested proved to be too difficult >> and platform-dependent. > > This seems like an almost perfect task for a virtual machine: > * set up you virtual machine to taste > * take a snapshot > * to test a patch, fire up the virtual machine > * have it test the patch > * after the test or when it times out, revert it to the snapshot > * rinse (done in the step above), repeat > > This could be done with VirtualBox, but maybe other alternatives based > on Xen or KVM or some such would be better. The main issue I see with > this is that the OpenGL / DirectSound tests will not run on the real > hardware (as usual), but maybe a Xen-like approach could help there. > > It would also make it easy to test on FreeBSD / Solaris, at least if > based on something like VirtualBox (not sure about the Xen-like > approaches).
Yep. Virtualizaion has 3D shortcomings. I can see the way how to use pbuilder/pdebuild toolchain on dedicated user account in Debian to automate this in pretty safe and easy way. pbuilder uses fakeroot/chroot for this and its use is a nobrainer, hellish easy and effective. But this is limited to Debian systems only. Positive is that we still have access to 3DHW (although not concurrent/parallel). Anybody has experience with User-mode Linux kernels for that? ~*~ Another environment is OpenSolaris. There we can leverage technologie of zones & ZFS for cheap pseudovirtualization and fast FS recovery using FS snapshots. ~*~ IMO there is no silver bullet to bite all problems on all OS. We can build OS-specific toolchains around patchwatcher and I think that's more viable alternative. Cheers Hark