On Fri, 03 Nov 2017 07:37:12 +0100 Niels Thykier <ni...@thykier.net> wrote: > Package: release-notes > Severity: wishlist > > --- News for apt (libapt-pkg5.0 libapt-inst2.0) --- > apt (1.6~alpha1) unstable; urgency=medium > > All methods provided by apt except for cdrom, gpgv, and rsh now > use seccomp-BPF sandboxing to restrict the list of allowed system > calls, and trap all others with a SIGSYS signal. Three options > can be used to configure this further: > > APT::Sandbox::Seccomp is a boolean to turn it on/off > APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap > APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow > > Also, sandboxing is now enabled for the mirror method. > > -- Julian Andres Klode <j...@debian.org> Mon, 23 Oct 2017 01:58:18 +0200 > > > Seems like it would be prudent to mention that in the release-notes > for buster. > > Thanks, > ~Niels > >
Note tos self/update: The feature is (now) *off* by default (see #890489). Thanks, ~Niels