On Sat, Nov 04, 2017 at 10:47:36PM +0100, Julian Andres Klode wrote: > On Sat, Nov 04, 2017 at 06:23:00AM +0000, Niels Thykier wrote: > > As for debtorrent: I /think/ it is a "third-party" method (from apt's > > PoV) and therefore not covered by the built-in rules. CC'ing deity to > > confirm that.
It has to be noted that debtorrent is no more – it was removed from Debian 4 years ago, so it should really not be mentioned. The only third-party apt-transport-* packages I know of existing in Debian ATM are s3 and spacewalk which indeed don't use any of the recentish introduced hardening features for methods as they are all "opt-in". There is also a-t-tor, but that is maintained by the APT team nowadays, so not 3rd party – and it uses all the same hardening features as http. > Why not just both? Add it to what's new and add a link to issues saying > "also the <a>new sandboxing features in apt</a> might cause some issues." I would expect that by the time we release buster apt has gained some other noteworthy things to report in "whats new", so that this seccomp thingy can be kept mostly contained in the issue part as that feature is ideally a user invisible change and the news entry just points to the issue section (but to be honest, not sure if its even worthy for issues as we have bigger issues if we haven't figured out the required syscalls for all release architectures at buster release time…) Best regards David Kalnischkies
signature.asc
Description: PGP signature