Summary:
- bug 1896246 essentially is a switch to fully vendorize and done
- there in
https://bugs.launchpad.net/ubuntu/+source/google-osconfig-agent/+bug/1896246/comments/2
security signs off on that approach
- thereby bug 1894731 is essentially dead and I updated it to reflect that
That makes the remaining TODOs a MIR and a security re-evaluate of this
(now vendorized) package.
@Security:
for your re-review:
1. much more code to look at now compared to your forer check
2. you might also reconsider details like the aforementioned:
"Google-shutdown-scripts.service and google-startup-scripts.service run user
provided arbitrary scripts thus they can't be confined."
As IMHO that makes it a prime target to inject attacks if exploitable in any
way.
I'd love to see you sign off on that being ok to be sure.
** Changed in: google-guest-agent (Ubuntu)
Assignee: Balint Reczey (rbalint) => Christian Ehrhardt (paelzer)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1891929
Title:
[MIR] google-guest-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/google-guest-agent/+bug/1891929/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
