I am still feeling uncomfortable shipping some crucial GNOME components like Nautilus more insecure than upstream.
An it is not just a matter of having bubblewrap in main or not. Not a matter of the default and anybody who wishes the default upstream security level could rectify this by “sudo apt install bubblewrap“. Because now sandboxing has to be turned off at build time and installing bubblewrap afterwards will not help anything. And it is not that the risks of shipping without sandbox are just theoretical: Ubuntu got some flak for this thumbnailing hole: https://csorianognome.wordpress.com/2017/07/20/clarification-on-a -security-flaw-on-a-thumbnailer/ Adding the Ubuntu release team a to get this in as a FFe as soon as possible. Disabling security features doesn't sound like worthwile Ubuntu modifications. ** Summary changed: - [MIR] bubblewrap + [FFe][MIR] bubblewrap -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709164 Title: [FFe][MIR] bubblewrap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
