Christopher Yeoh wrote: > On Mon, Sep 23, 2013 at 10:56 PM, Russell Bryant <rbry...@redhat.com > <mailto:rbry...@redhat.com>> wrote: > I agree with Monty and Thierry that ideally file injection should DIAF > everywhere. On that note, have we done anything with that in the v3 > API? I propose we remove it completely. > > It was separated from core as the os-personalities extension. So its very > easy to drop completely from the V3 API if we want to. Do you want me to > submit a changeset do do this > now (given the feature freeze) or wait until icehouse?
I actually would like to have a discussion at next summit of how to bring Nova's security to the next step. This will involve getting rid of risky operations when they are not so needed (like injecting files into mounted image filesystems), but we need to have an overall view (no point in removing that specific weak chain link if another remains as weak) to see where we can actually improve things significantly. So I would wait for icehouse to do anything. If it's separated from the core V3 API already, I guess it's still easy to get rid of it in icehouse if that's the outcome of that discussion session. -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev