On 17/11/2025 19.03, Daniel P. Berrangé wrote:
On Mon, Nov 17, 2025 at 05:44:28PM +0000, Christopher Klooz wrote:
On 17/11/2025 17.10, Daniel P. Berrangé wrote:
Also currently the Change title is describing the mechanism of
of the change, when it should describe the behavioural change
in a way that both Fedora maintainers and Fedora end users will
easily understand.
As mentioned in my second email (about 3 hours after the first one
[16/11/2025, 15.54 in UTC+1]) that considers the feedback of Discourse,
the URL will be adjusted to the updated title before submitting ->
"Change kernel.yama.ptrace_scope to match kernel defaults (mitigates
some attack vectors)" -> so at least this issue is solved before
submission 🙂 (change summed up in
https://discussion.fedoraproject.org/t/new-proposal-about-kernel-yama-ptrace-scope-two-perspectives-on-this-case-im-open-to-suggestions/172815/8
)
IOW, as well as radically reducing the walls of text, it would
be much better for the title (and thus URL) to be approximately
"Disable ptrace for unprivileged users by default"
I would stick with the suggestion of Fabio (see the discourse
link above), as this one is not 100% true, even if this is
likely to be the practical outcome in most cases. Keep in mind
that child processes will not be affected, even in unprivileged
contexts.
IMHO describing the functional impact of the change is better than
his. With the "Change kernel.yama.ptrace_scope to the kernel default"
it is still requiring people to learn what 'kernel.yama.ptrace_scope'
actually does, and then further read up on what the default behaviour
is. This is needlessly indirect.
With the suggestion I made above, it is clear from the title what
the change will broadly do without needing to read anything more.
We found in the first debate that we have developers using gdb etc. only for child
processes. At least for them, the title with "disable ptrace for unprivileged users
by default" would be misleading, but I agree: the current title does not describe
the functional impact and the reader will need to read up. I will find a way to update
it. Thanks for that feedback :)
With regards,
Daniel
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
