[lxc-devel] [PATCH 1/1] lxc_create: prepend pretty header to config file

Stéphane Graber stgraber at ubuntu.com
Fri Jul 12 16:03:41 UTC 2013 

On Fri, Jul 12, 2013 at 04:49:33PM +0100, Daniel P. Berrange wrote:
> On Fri, Jul 12, 2013 at 10:27:14AM -0500, Serge Hallyn wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > On Thu, Jul 11, 2013 at 11:51:25PM -0500, Serge Hallyn wrote:
> > > > Define a sha1sum_file() function in utils.c (which requires configure.ac
> > > > to check for -lcrypto and -lssl).  Use that in lxcapi_create to write out
> > > > the sha1sum of the template being used.
> > > > 
> > > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > > > ---
> > > >  configure.ac           |    2 +
> > > >  src/lxc/Makefile.am    |    2 +-
> > > >  src/lxc/lxccontainer.c |  109 ++++++++++++++++++++++++++++++++++++++++++++++--
> > > >  src/lxc/utils.c        |   36 ++++++++++++++++
> > > >  src/lxc/utils.h        |    2 +
> > > >  5 files changed, 146 insertions(+), 5 deletions(-)
> > > 
> > > Does the LXC license allow linking to OpenSSL?
> > > 
> > > Specifically we need the following bit in the license:
> > >  * In addition, as a special exception, the copyright holders give
> > >  * permission to link the code of portions of this program with the
> > >  * OpenSSL library under certain conditions as described in each
> > >  * individual source file, and distribute linked combinations
> > >  * including the two.
> > >  * You must obey the GNU General Public License in all respects
> > >  * for all of the code used other than OpenSSL.  If you modify
> > >  * file(s) with this exception, you may extend this exception to your
> > >  * version of the file(s), but you are not obligated to do so.  If you
> > >  * do not wish to do so, delete this exception statement from your
> > >  * version.  If you delete this exception statement from all source
> > >  * files in the program, then also delete it here.
> > > 
> > > Details: https://people.gnome.org/~markmc/openssl-and-the-gpl.html
> > 
> > (&$%(*$(%)**(^#($)(*#
> > 
> > Ok, so as you suggested in irc (thanks) we could use gnutls.  But I
> > also like the idea of just grabbing lib/sha1.c from coreutils (which
> > is under gpl) which is what is used by sha1sum, which we used before
> > in the lxc-create script.  It looks like much simpler usage, and less
> > dependencies.
> > 
> > Any objections?
> 
> Copy+pasting code for encryption algorithms is really not nice.
> It means that instead of distributors of your package being able
> to rely on the fact 'gnutls' is (eg) FIPS certified, they now have
> to explicitly certify the copy of the code in your package too :-(
> 
> Regards,
> Daniel

Indeed, though in this case it's just used for the hash of a file to be
stored as a comment in another. But I agree that while there are
benefits in just copy/pasting some code in our tree (makes it easier for
the Android port), I think I'd still prefer we link to some external
library for that.

A reasonable middle-ground to me would be:
 - Link to gnutls and use gnutls_hash_fast to hash the template
 - Make this code optional, if gnutls isn't there at configure time, we
   simply don't hash the template.


Another ugly alternative to all that would be calling sha1sum directly
(if available on the path) which would just work on most Linux distros
and on Android, though it comes with yet another system call which I
like to keep to a minimum...

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130712/62943b63/attachment.pgp>

More information about the lxc-devel mailing list