On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote: > Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben: > > The argument that there might not be a traditional filename doesn't make > > sense to me. When there is no filename the command-line is already > > sufficiently complex and usage is fancy enough that probing adds no > > convenience, the user can just specify the format. > > -hda nbd://localhost > -drive file=nbd://localhost,format=raw > > Almost double the length, and I don't see anything fancy in the first > line. > > > Anyway, does this sound reasonable: > > > > In QEMU 3.0, require the format= option for -drive. Keep probing the > > way it is for non-drive options because they are used for convenience by > > local users. > > And being hacked while using -hda is better in which way?
Markus is proposing that we look at the filename extension. In that case QEMU cannot be tricked by the contents of a raw image. That makes -hda perfectly safe although there are cases where QEMU doesn't know what to do and requires format=. I do worry that changing QEMU's probing behavior drastically can lead to consistencies where libvirt does its own probing :(. Haven't thought through the bug scenarios but that could be a security problem in itself. Stefan
pgp2hb7YBJqyn.pgp
Description: PGP signature
