$ ./change-override -c main -S zsys
Override component to main
zsys 0.3.3 in focal: universe/admin -> main
zsys 0.3.3 in focal amd64: universe/admin/optional/100% -> main
zsys 0.3.3 in focal arm64: universe/admin/optional/100% -> main
zsys 0.3.3 in focal armhf: universe/admin/optional/100% -> main
** Changed in: zsys (Ubuntu)
Status: New => Confirmed
** Changed in: zsys (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I reviewed zsys 0.3.3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
Unfortunately, the Ubuntu Security Team's tools are not well-developed
when it comes to auditing golang projects, complicating the audit.
zsys is a tool enhancing
Now that the 0.3 series is published, it has the finale structure:
- split between daemon and server. Calls are done via GRPC over an Unix socket.
- use polkit for authorization with various levels of actions. Full spec is at
Hello Didier, I agree with you about the snapd, juju, ubuntu-report
(first I've heard of this one), not de-vendoring their code. I
understand they were given some exemptions because they wanted identical
code across all the supported distributions they use.
However, other distributions also want
Hey Seth,
While I agree with this goal, I don't feel this is realistic without a focused
effort within the distro itself as a global goal as I explained in detailed in
my answer:
- most of those deps are shared between snapd, juju, ubuntu-report and zsys at
least (like the yaml config parser).
Indeed, we have asked for Go packages to have their vendored code split
out into their own packages to simplify triage, fixing, and minimize
rebuilding:
https://wiki.ubuntu.com/MIRTeam#Embedded_sources_and_static_linking
We'd like the package to build using golang -dev packages and not build
the
After discussion int he MIR team we agreed on a +1 despite being a rather early
0.1 version for:
- already implemented quite some of our requests
- upstream == canonical on this project
- more ideas for isolation are noted and on the todo list
All of this is under the constraint that security is
We discussed way more on IRC, thanks didrocks!
I think we are safer now and low-hanging-fruit fixes are in.
We are ready for a group-decision on allowing it for now given its somewhat
special nature.
didrocks will bring it up in the IRC meeting
--
You received this bug notification because
- ack on weeport for haing internationalization in mind
-
https://github.com/ubuntu/zsys/commit/1bec99f4aa6a84c61f30cf12c83515d40ae578db
looks good for some base extra isolation - thanks
P.S. didn't see some of the content inline due to length limits - thanks
for making me aware.
--
You
ok on the Lintian warning since you are ok in a pedanic check on Eoan.
Mine was Bionic.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1839271
Title:
[MIR] zsys
To manage notifications about this
> > - I know it makes no sense in a container, but fix it so that it properly
> > installs by changing default config/postinst or whatever you see fit
>
> See below, I need an example/more details of what is actually expected.
>
example:
$ apt install zsys
do that in a container and it is not
Thanks for the review Christian! Sorry for the delayed answer, I'm just back
from holidays :)
Thanks also for the details and summary. I think I have some resolved, some
questions and some with no actions. I copy this back here so that we can track
them. Let me know how this feels.
[Summary]
[Summary]
It generally looks good already for being at such an early stage, the following
list covers what I think need to be added/improved to make it acceptable.
- go issue of embedded libs, can we resolve reduce this?
Please answer my questions below.
- I know it makes no sense in a
14 matches
Mail list logo
