Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package caddy for openSUSE:Factory checked in at 2021-09-02 23:20:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/caddy (Old) and /work/SRC/openSUSE:Factory/.caddy.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "caddy" Thu Sep 2 23:20:24 2021 rev:3 rq:915788 version:2.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/caddy/caddy.changes 2021-06-09 21:52:40.834515219 +0200 +++ /work/SRC/openSUSE:Factory/.caddy.new.1899/caddy.changes 2021-09-02 23:20:47.488589138 +0200 @@ -1,0 +2,6 @@ +Wed Aug 25 13:55:21 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s). Modified: + * caddy.service + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ caddy.spec ++++++ --- /var/tmp/diff_new_pack.QfybNe/_old 2021-09-02 23:20:48.084589880 +0200 +++ /var/tmp/diff_new_pack.QfybNe/_new 2021-09-02 23:20:48.088589886 +0200 @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %define project github.com/caddyserver/caddy Name: caddy @@ -32,8 +33,8 @@ Source5: bash-completion Source6: _caddy BuildRequires: golang-packaging -BuildRequires: golang(API) >= 1.15 BuildRequires: systemd-rpm-macros +BuildRequires: golang(API) >= 1.15 %{?systemd_requires} %{go_provides} # Make sure that the binary is not getting stripped. ++++++ caddy.service ++++++ --- /var/tmp/diff_new_pack.QfybNe/_old 2021-09-02 23:20:48.216590046 +0200 +++ /var/tmp/diff_new_pack.QfybNe/_new 2021-09-02 23:20:48.216590046 +0200 @@ -14,6 +14,18 @@ LimitNPROC=512 PrivateTmp=true ProtectSystem=full +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions AmbientCapabilities=CAP_NET_BIND_SERVICE [Install]
