Hi,

On 2/1/21 8:04 PM, Paolo Bonzini wrote:
>
>
> Il lun 1 feb 2021, 22:15 Wainer dos Santos Moschetta 
> <wainersm@redhat.com <mailto:wainersm@redhat.com>> ha scritto:
>
>     Not too long ago (QEMU 5.0) it was possible to configure with
>     --disable-tools
>     and still have virtiofsd built. With the recent port of the build
>     system to
>     Meson, it is now built together with the tools though.
>
>     The Kata Containers [1] project build QEMU with --disable-tools to
>     decrease the
>     attack surface
>
>
> ---enable-tools only adds separate executables, therefore it can't add 
> to the attack surface of the emulators. So this is misleading.


You are right, Paolo, thanks for the comment. I meant to say the project 
avoid installing unneeded binaries on the system, extra files which may 
be subject to CVEs and force a sysadmin to handle them. I hope this 
clarifies my point.

Thanks!

Wainer

>
> That said, it does make sense to let --enable-virtiofsd override 
> --disable-tools, and the same in the other direction too.
>
> Paolo
>
>     Side note: in a private chat with Stefan Hajnoczi he come up with
>     the idea
>     that perhaps --disable-tools could be like
>     --without-default-features where
>     one can add back on feature-by-feature basis. This is outside the
>     scope of this
>     series but I thought in sharing because IMHO it is deserves a
>     discussion.
>
>
>     [1] https://katacontainers.io <https://katacontainers.io>
>
>     Wainer dos Santos Moschetta (1):
>       virtiofsd: Allow to build it without the tools
>
>      tools/meson.build | 7 +++++--
>      1 file changed, 5 insertions(+), 2 deletions(-)
>
>     -- 
>     2.29.2
>