Your message dated Thu, 9 May 2019 22:00:46 +0200
with message-id <[email protected]>
and subject line Re: Bug#880638: release-notes: Document apt sandbox support
[buster]
has caused the Debian Bug report #880638,
regarding release-notes: Document apt sandbox support [buster]
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
880638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880638
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release-notes
Severity: wishlist
--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
can be used to configure this further:
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
-- Julian Andres Klode <[email protected]> Mon, 23 Oct 2017 01:58:18 +0200
Seems like it would be prudent to mention that in the release-notes
for buster.
Thanks,
~Niels
--- End Message ---
--- Begin Message ---
On 05-05-2019 20:00, Niels Thykier wrote:
> I think it would make sense for two reasons:
> 1) We had a severe security bug in apt recently and while sandboxing
> would not have prevented it, it still shows that the apt developers
> have been working on hardening apt in general and against future
> threats.
> 2) We advertise apparmor as a new default/recommendation to harden
> Debian. The apt sandboxing would strengthen the image of buster
> providing better (opt-in) security compared to stretch.
>
> But yes, it should certainly only be in "whats-new" given it is opt-in.
Commit 8bb5c11
Paul
signature.asc
Description: OpenPGP digital signature
--- End Message ---
