On Mon, Apr 09, 2018 at 05:29:14PM +0800, Yanhao Mo wrote: > Hi, Adam > Very thanks for checking my package and pointing these issues. > I have communicate with upstream author of deepin-system-monitor, and he > confirmed these security problems. As a result, he is willing to modify > d-s-m sources to limited the privilege operations within a very small > helper program with some capabilities, at the same time he > will refactor gui program of d-s-m to perform these operations by > sending request to the helper program via dubs. The helper program will > refuse any other request which is not sent from d-s-m.
You might want to ask someone with a clue about policykit/etc for advice. I don't currently even know where to look. > I hope this will fix these issues. And that will take some times. So > let's wait. There's no hurry -- Ubuntu is long since frozen, Debian won't freeze until November or December. But, you might want to just drop the caps: a system monitor that can kill only your own processes is pretty useful; this is what all other similar tools do. Elevating to kill others might be useful but is not the primary feature I'd expect from such a program. Obviously, this is moot if you prefer to wait for the full fix. > For the nethogs part, the situation is: d-m-s need a library from > it, but the nethogs maintainer of debian doesn't package libnethogs > separately, we(pkg-deepin team) have already request for that , but > got no reply. So I decided to use the nethogs sources within upstream > d-m-s source tree directly to build d-m-s. Maybe this is a bad idea? > Maybe it's better to take a nmu upload for nethogs? Some advice is > very appreciated. Looking at the maintainer's QA page: https://qa.debian.org/developer.php?email=kretcheu%40gmail.com I see he's not very active but nowhere close to being gone (did three uploads of other packages this year). It's likely he saw the request but couldn't act on it immediately -- what about pinging him if that's the case? Also, most people are a lot more willing to accept a patch compared to being told to do the work themselves. > > d-s-m crashed for me twice (segfault) while casually perusing it, > As for this. The upstream author says It's very sorry for the insufficient > testing. He will try his best to find why and fix it. It seems both of these segfaults happened while shutting down the program. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC? ⠈⠳⣄⠀⠀⠀⠀