Patchwatcher security improvements

Francois Gouget fgouget at
Wed Sep 10 06:37:55 CDT 2008

On Mon, 8 Sep 2008, Ambroz Bizjak wrote:

> Hi,
> I've abandoned my chroot aproach to improving security in patchwatcher.
> Instead I've implemented the ability to run untrusted code as a user
> different than the one running patchwatcher. This is because creating a
> chroot where Wine could be compiled and tested proved to be too difficult
> and platform-dependent.

This seems like an almost perfect task for a virtual machine:
 * set up you virtual machine to taste
 * take a snapshot
 * to test a patch, fire up the virtual machine
 * have it test the patch
 * after the test or when it times out, revert it to the snapshot
 * rinse (done in the step above), repeat

This could be done with VirtualBox, but maybe other alternatives based 
on Xen or KVM or some such would be better. The main issue I see with 
this is that the OpenGL / DirectSound tests will not run on the real 
hardware (as usual), but maybe a Xen-like approach could help there.

It would also make it easy to test on FreeBSD / Solaris, at least if 
based on something like VirtualBox (not sure about the Xen-like 

Francois Gouget <fgouget at>    
 Advice is what we ask for when we already know the answer but wish we didn't
                                 -- Eric Jong

More information about the wine-devel mailing list