Patchwatcher security improvements
Francois Gouget
fgouget at free.fr
Wed Sep 10 06:37:55 CDT 2008
On Mon, 8 Sep 2008, Ambroz Bizjak wrote:
> Hi,
>
> I've abandoned my chroot aproach to improving security in patchwatcher.
> Instead I've implemented the ability to run untrusted code as a user
> different than the one running patchwatcher. This is because creating a
> chroot where Wine could be compiled and tested proved to be too difficult
> and platform-dependent.
This seems like an almost perfect task for a virtual machine:
* set up you virtual machine to taste
* take a snapshot
* to test a patch, fire up the virtual machine
* have it test the patch
* after the test or when it times out, revert it to the snapshot
* rinse (done in the step above), repeat
This could be done with VirtualBox, but maybe other alternatives based
on Xen or KVM or some such would be better. The main issue I see with
this is that the OpenGL / DirectSound tests will not run on the real
hardware (as usual), but maybe a Xen-like approach could help there.
It would also make it easy to test on FreeBSD / Solaris, at least if
based on something like VirtualBox (not sure about the Xen-like
approaches).
--
Francois Gouget <fgouget at free.fr> http://fgouget.free.fr/
Advice is what we ask for when we already know the answer but wish we didn't
-- Eric Jong
More information about the wine-devel
mailing list