Package: podman Followup-For: Bug #978650 X-Debbugs-Cc: Antonio Terceiro <terce...@debian.org>, Reinhard Tartler <siret...@gmail.com>, Andrej Shadura <andrew.shad...@collabora.co.uk>
Debian's podman isn't able to resolve short names out of the box. It seems however that upstream is (I have not verified that - I'm infering that from looking at an example [1]). Behaving differently from vanilla upstream will mean that recipes working out of the box with upstream will fail on Debian. I respect and consider valid the argument about the security aspect of using short-names brought forward by Reinhard in [2]. What I'd like to question is the weighting of: * convenience * being compatible with upstream versus * security aspect We gain securty by breaking convenience and compatibility with upstream. That's the price we pay here for that bit of security. Now let's consider the security part. It's a given that if you are using a random container image then you *will* get a random container image. Which is maybe not a very wise thing to do. However *are* people using random images without a second thought? And additionaly: do we want to protect people from using random images from the internet? It is a given that Unix is giving you the gun and if you point it at your foot and pull the trigger then the result will be bad. Being a Unix system admin one *must* be traditionally careful. How is this different with short-names? Why do we now have to protect the admin or the user? I think just like with everything else, recipes on the internet do *not* include random short-names but instead standard ones, such as official python or debian images. Also users are aware that installing a random container will execute random code on one's system. Therefore I'd like to argue that going with upstream behavior would be the better setting. Whichever way the argument goes: thanks a lot for maintaining podman! *t [1] https://github.com/ansible-community/ansible-bender/blob/master/simple-playbook.yaml [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978650#90 -- System Information: Debian Release: 11.2 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads) Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages podman depends on: ii conmon 2.0.25+ds1-1.1 ii containernetworking-plugins 0.9.0-1+b6 ii golang-github-containers-common 0.33.4+ds1-1 ii init-system-helpers 1.60 ii iptables 1.8.7-1 ii libc6 2.31-13+deb11u2 ii libdevmapper1.02.1 2:1.02.175-2.1 ii libgpgme11 1.14.0-1+b2 ii libseccomp2 2.5.1-1+deb11u1 ii runc 1.0.0~rc93+ds1-5+b2 Versions of packages podman recommends: ii buildah 1.19.6+dfsg1-1+b6 ii fuse-overlayfs 1.4.0-1 ii golang-github-containernetworking-plugin-dnsname 1.1.1+ds1-4+b7 ii slirp4netns 1.0.1-2 ii tini 0.19.0-1 ii uidmap 1:4.8.1-1 Versions of packages podman suggests: pn containers-storage <none> ii docker-compose 1.25.0-1 -- Configuration Files: /etc/cni/net.d/87-podman-ptp.conflist [Errno 13] Keine Berechtigung: '/etc/cni/net.d/87-podman-ptp.conflist' -- no debconf information