Thanks for the heads-up Alessandro, that's great news! After refreshing my mind about this, let me try to summarize the current situation:
#1 - AppArmor changes have not yet landed in dbus-broker upstream, but are carried as a Debian & Ubuntu delta: https://github.com/bus1/dbus-broker/pull/286 #2 - From Mark's security review (comment #5), things are looking mostly good, especially now that we have the AppArmor patch (#1). But we don't have a final security ACK, yet. So need anoter review. #3 - We want to demote dbus-daemon from src:dbus. This also includes the "dbus-run-session" binary, which is not used by GDM 49+ anymore, but many others (not necessarily in "main", https://codesearch.debian.net/search?q=dbus-run-session&literal=1&perpkg=1) #4 - Out of src:dbus, we likely want to keep the "dbus-bin", "dbus-{system,session}-bus-common" and "libdbus-1-3" binaries in "main", as they provide independent policy or client library support. #5 - dbus-daemon currently has 3 reverse-depends in "main" that are blocking its demotion * "dbus", * "dbus-user-session", * "dbus-x11", which in turn have many transitive reverse-depends in "main" that we need to get rid of (some of which are seeds): $ reverse-depends -r questing -c main dbus Reverse-Recommends ================== * gvfs-daemons * libdbus-1-3 Reverse-Depends =============== * fprintd [amd64 arm64 armhf ppc64el riscv64 s390x] * language-selector-common * lvm2-dbusd * networkd-dispatcher * nfs-ganesha [amd64 arm64 armhf ppc64el riscv64 s390x] * pacemaker [amd64 arm64 armhf ppc64el riscv64 s390x] * rhythmbox [amd64 arm64 armhf ppc64el riscv64 s390x] * ubuntu-cloud-minimal [amd64 arm64 armhf ppc64el riscv64 s390x] * ubuntu-server-minimal [amd64 arm64 armhf ppc64el riscv64 s390x] $ reverse-depends -r questing -c main dbus-user-session Reverse-Recommends ================== * bluez-obexd * libpam-systemd * pinentry-gnome3 * pipewire-bin * rygel [amd64 arm64 armhf ppc64el riscv64 s390x] Reverse-Depends =============== * xdg-desktop-portal-gnome [amd64 arm64 armhf ppc64el riscv64 s390x] * xdg-desktop-portal-gtk [amd64 arm64 armhf ppc64el riscv64 s390x] $ reverse-depends -r questing -c main dbus-x11 Reverse-Depends =============== * ubiquity * ubuntu-wsl [amd64 arm64] * xdg-desktop-portal-gnome * xdg-desktop-portal-gtk #2 needs to be tackled by the security team #5 needs to be tackled by some owning team, working through all those dependencies and checking if they can be switched to "default-dbus-system-bus", "dbus-system-bus", or "dbus-broker | dbus-daemon" Depends or if the Depends/Recommends can be dropped or downgraded to a "Suggests". Do we have anyone driving those changes? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2015538 Title: [MIR] dbus-broker To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
