From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-bounces+e=80x24.org@sourceware.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS17314 8.43.84.0/22
X-Spam-Status: No, score=-4.3 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2
Received: from sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 8905E1F670
	for <e@80x24.org>; Tue,  1 Mar 2022 17:45:13 +0000 (UTC)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 509BE3858C78
	for <e@80x24.org>; Tue,  1 Mar 2022 17:45:12 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 509BE3858C78
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1646156712;
	bh=B9SctjYKaSHVjinnuBUHJoTi/ZdoWmSM1VnWy/YUEiU=;
	h=To:Subject:References:Date:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=ryd7oti6P6KPtX3oWVmdXuWTPLzSc7nkF94yzoj2loRJKOGbn8Lzlv9Qt8zjlkMIH
	 1s87ruQqmoQDs+ESn9wfj+O6/en2rbIKkejAcRADPjD05G+fS0tfSvmMRlOE5Risy0
	 vuhvV48v6xb6Z1JqCgc8Gv85zrCOurzZ1bIspgWk=
Received: from hera.aquilenet.fr (hera.aquilenet.fr [185.233.100.1])
 by sourceware.org (Postfix) with ESMTPS id 78B493858D20
 for <libc-alpha@sourceware.org>; Tue,  1 Mar 2022 17:44:53 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 78B493858D20
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 555D12DD;
 Tue,  1 Mar 2022 18:44:52 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Zbv7a-tYGEh8; Tue,  1 Mar 2022 18:44:51 +0100 (CET)
Received: from ribbon (unknown [193.50.110.129])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id CE14C203;
 Tue,  1 Mar 2022 18:44:50 +0100 (CET)
To: DJ Delorie <dj@redhat.com>
Subject: Re: On the removal of nscd from Fedora, and the future of nscd.
References: <xnpmn57gwl.fsf@greed.delorie.com>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 11 =?utf-8?Q?Vent=C3=B4se?= an 230 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Tue, 01 Mar 2022 18:44:49 +0100
In-Reply-To: <xnpmn57gwl.fsf@greed.delorie.com> (DJ Delorie's message of "Tue, 
 01 Mar 2022 11:54:02 -0500")
Message-ID: <87mti94lf2.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
X-Rspamd-Server: hera
X-Rspamd-Queue-Id: 555D12DD
X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_FIVE(0.00)[6];
 RCVD_TLS_ALL(0.00)[]
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
From: =?utf-8?q?Ludovic_Court=C3=A8s_via_Libc-alpha?=
 <libc-alpha@sourceware.org>
Reply-To: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Cc: ashankar@redhat.com, libc-alpha@sourceware.org, fweimer@redhat.com
Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces+e=80x24.org@sourceware.org>

DJ Delorie <dj@redhat.com> skribis:

> Ludovic Courts <ludo@gnu.org> writes:
>> This nscd requirement is one of the few must-haves to ensure, as
>> Joseph writes, that processes (in particular those linked against
>> Guix=E2=80=99s libc) do not end up dlopening arbitrary, possibly incompa=
tible
>> libraries.
>
> My point is, if there's a risk that a Guix binary *could* load a host
> dso, then Guix is insufficiently isolated from the host system.  nscd is
> just one example of how this could happen.  If you accept this
> non-isolation, you need to accept that dsos need to be cross-usable.

Actually, by default, a Guix program on (say) Fedora-without-nscd won=E2=80=
=99t
dlopen Fedora=E2=80=99s libnss_sssd.so.  Instead, it=E2=80=99ll search in v=
ain for
libnss_sssd.so in its search path (which does not include /usr/lib), and
have its name lookups fail with EAI_SYSTEM, ENOENT, or some other
unclear error.

IMO the situation of NSS is singular.  The use case of Guix, Nix, and
others is also very real, used today just fine even without full
isolation (separate namespaces & co.).

I hope this clarifies the context.

Ludo=E2=80=99.