[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Userops] Fwd: Re: [Betterservers] One click install
|
From: |
Christopher Allan Webber |
|
Subject: |
[Userops] Fwd: Re: [Betterservers] One click install |
|
Date: |
Thu, 05 Mar 2015 16:08:41 -0600 |
Sorry, this belonged on the userops list, not betterservers, which is
deprecated! Silly me!
Christopher Allan Webber writes:
> Stefano Zacchiroli writes:
>
>> [ resent to the list, sorry David for the dup ]
>>
>> On Fri, Feb 20, 2015 at 12:01:00PM -0500, David Thompson wrote:
>>> I don't think containers and the "app store" model are inseparable, but
>>> the currently popular tools like Docker just happen follow that model.
>>> NixOS is a good counter-example. They have container support, but the
>>> deduplication of the free software distribution model is preserved.
>>
>> It's been a while since I last looked into NixOS and similar distros.
>> But last time I did (~4 years ago, maybe) they where not engineered
>> around allowing to be sure that *all* copies of a given, say, vulnerable
>> library installed on a system get updated. In fact, the very nature of
>> their "garbage collection" model, with symlinks in user home directories
>> pointing to the version of a given software that that user chose to use,
>> made impossible to upgrade/remove all vulnerable copies of a libraries,
>> lest breaking user setups or version choices [1].
>>
>> Does anyone know if this has changed in recent times?
>>
>> Cheers.
>>
>>
>> [1] Of course the distribution model *does* break user choices of
>> versions all the time, precisely because it is not a user choice
>> which version of a software is available, but an admin one. But that
>> is the price to pay for the benefits of system-wide software
>> upgrades.
>
> I do think it's true that you can keep applications linking to the old
> library around, but I think it's probably a lot easier to update things
> than with containers? Rebuilding your applications with the new
> libraries is pretty easy, and so is investigating which applications are
> using the old version of the library. At least for Guix, it *looks
> like* (I'm not a Guix author, have only used it somewhat, but not
> enough) that the tooling to inspect those things is either baked in, or
> if not, is only a small amount of scheme away towards making into such a
> tool.
>
> I am super skeptical of the container route for pretty much the reason
> you express, Stefano... as well as a few others, as being a panacea for
> these things. :) Granted, one could say that "at least sandboxing, when
> it actually works, can mitigate the amount of damage an application is
> capable of doing to other applications on the system", but I think
> that's a pretty sad response (and not necessarily true always; maybe
> cross site scripting allows for accessing a session in even another
> application mounted on the same (sub)domain).
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Userops] Fwd: Re: [Betterservers] One click install,
Christopher Allan Webber <=