On 17/11/2025 17.10, Daniel P. Berrangé wrote:
On Mon, Nov 17, 2025 at 05:02:38PM +0100, Mark Wielaard wrote:
Hi Chris,
On Sun, 2025-11-16 at 11:35 +0000, Christopher Klooz wrote:
I was asked to put this proposal once to discussion in the community before
officially submitting it:
https://fedoraproject.org/wiki/Changes/Enable_%22kernel.yama.ptrace_scope%22_by_default_to_adopt_upstream_kernel_default_(or_a_more_restrictive_setting_if_unforeseen_impact_is_unrealistic)_to_mitigate_attacks/impacts_due_to_malicious,_vulnerable_or_unmaintained/unupdated_packages/processes
Like the previous proposal I do think it is a little too chatty. Even
the URL is multiple lines long. These walls of text makes it really
hard to discuss, because it keeps repeating and mixing facts and your
opinion.
Also currently the Change title is describing the mechanism of
of the change, when it should describe the behavioural change
in a way that both Fedora maintainers and Fedora end users will
easily understand.
As mentioned in my second email (about 3 hours after the first one [16/11/2025, 15.54 in
UTC+1]) that considers the feedback of Discourse, the URL will be adjusted to the updated title
before submitting -> "Change kernel.yama.ptrace_scope to match kernel defaults
(mitigates some attack vectors)" -> so at least this issue is solved before submission
🙂 (change summed up in
https://discussion.fedoraproject.org/t/new-proposal-about-kernel-yama-ptrace-scope-two-perspectives-on-this-case-im-open-to-suggestions/172815/8
)
IOW, as well as radically reducing the walls of text, it would
be much better for the title (and thus URL) to be approximately
"Disable ptrace for unprivileged users by default"
I would stick with the suggestion of Fabio (see the discourse link above), as
this one is not 100% true, even if this is likely to be the practical outcome
in most cases. Keep in mind that child processes will not be affected, even in
unprivileged contexts.
With regards,
Daniel
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
