[Spice-devel] [spice-gtk v4 00/13] CD sharing feature
Yuri Benditovich
yuri.benditovich at daynix.com
Thu Sep 20 16:30:59 UTC 2018
On Thu, Sep 20, 2018 at 2:48 PM, Gerd Hoffmann <kraxel at redhat.com> wrote:
> Hi,
>
> > If we consider the nbd PoC and the solution Daynix sent (spice-gtk and
> > emulation) I personally prefer the Daynix solution and as Yuri said
> already
> > the glue code required for the nbd is bigger than the emulation code.
>
> Oh. Fair enough. I certainly didn't expect that the nbd glue is more
> code than doing full usb+scsi emulation.
>
> > I also think is better from the client prospective, updating the host
> > to fix possible problems is much harder than just update the client.
>
> The qemu usb/scsi/cdrom emulation has seen years of testing.
> So I wouldn't worry too much about bugs there.
>
> > Being also the client less a security issue the client solution reduces
> > the surface attack.
>
> That is wrong IMO. You just have a different attack surface, for the
> most part it moves from the virtualization host (the machine running
> qemu) to the user's box (the machine running spice-client).
>
In aspect of security/attack surface the cd-sharing in the client is not
different from flash drive redirection (if I'm not mistaken) and should not
increase the risk.
>
> Whenever that is better or not depends much on the deployment. With
> thin clients you might be better off that way. When the spice-client
> runs on a full-blown workstation it might be a rather interesting target
> to attack though.
> cheers,
> Gerd
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20180920/d628384a/attachment.html>
More information about the Spice-devel
mailing list