On 2019-11-23 18:34:25, Julien Cristau wrote: > On Mon, Nov 11, 2019 at 10:40:58AM -0500, Antoine Beaupre wrote: >> diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog >> ganeti-instance-debootstrap-0.16/debian/changelog >> --- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20 >> 06:57:18.000000000 -0400 >> +++ ganeti-instance-debootstrap-0.16/debian/changelog 2019-11-01 >> 19:01:50.000000000 -0400 >> @@ -1,3 +1,10 @@ >> +ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium > > Version number and distribution don't look right.
Ah yes, that would be 0.16-6+deb10u1, right? >> + >> + * Non-maintainer upload >> + * add patch to respect linux caps (Closes: #942114) >> + >> + -- Antoine Beaupré <anar...@debian.org> Fri, 01 Nov 2019 19:01:50 -0400 >> + >> ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium >> >> * Bump Standards-Version to 4.1.4; no changes needed >> diff -Nru >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> --- >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> 1969-12-31 19:00:00.000000000 -0500 >> +++ >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> 2019-11-01 19:01:50.000000000 -0400 >> @@ -0,0 +1,48 @@ >> +From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> >> +Date: Thu, 10 Oct 2019 11:07:51 -0400 >> +Subject: [PATCH] respect Linux capabilities(7) in cache >> + >> +The default GNU tar configuration does not carry fancy extended >> +attributes and that is where, among other things, stuff like Linux >> +capabilities(7) are stored. This is kind of important because that's >> +how ping(8) works for regular users. >> + >> +We shove --selinux and --acls in there while we're at it, because why >> +not. We never know what the future might bring, and it seems >> +silly *not* to create a complete archive. >> + >> +Note that --xattrs-include='*' is important because, by default, GNU >> +tar will not include capabilities /even/ if --xattrs is specified on >> +the commandline, see this bug report for details: >> + > > I'm a bit uneasy about a blanket "include all", to be honest. It's > probably harmless since it's all coming straight out of debootstrap, but > I'd have been happier with something like "include security.*" if that's > what we expect to see. What kind of problems would you expect with including too many ACLs? A. -- Qui vit sans folie n'est pas si sage qu'il croit. - François de La Rochefoucauld