Hi Flavio, On Wed, Jan 27, 2016 at 4:50 AM, Flavio Percoco <fla...@redhat.com> wrote: > [snip] > However, as a community, I think we should send a clear message and protect > our users and, in this case, the best way > is to avoid adding this format as supported. >
To address some of the concerns i have added a security impact statement on the spec 1. Ironic doesn't unpack the OS tarball, it will be unpacked on the target node in a ramdisk using tar utility. (tar -avxf) 2. The moment you allow an un-trusted OS image to be deployed, the expected security is None. An advisory doesn't need to manipulate the extraction of the tarball to gain access in that case. 3. In docker the vulnerability is high because a vulnerable container can infect the host system. 4. I understand the concerns with the conversion API's , and they are valid. Please feel free to not support tar as a conversion target. -- Arun S A G http://zer0c00l.in/ __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
