Thanks Samir, that sounds like we've got a good understanding that there's risks here. That's good enough for me.
I skimmed through the debian/rules file from 10.0.102-10.0.2-0ubuntu1 and noticed that we're disabling -mbranch-protection=standard on 23.10 and newer on arm64. This was done over a year ago https://github.com/canonical/dotnet-source-build/pull/8/changes and I'm curious if it is still relevant today. If it's still necessary, that's fine, but it'd be nice to not leave this mitigation unused if the underlying problem has been fixed in the meantime. I also gave a very cursory look for other potential packaging issues: - setuid or setgid files - funny permissions - pam, sudo, bash drop-ins - other unexpected files I found no issues. There may yet be surprises, apologies for not looking deeper, but it's largely because things have gone well so far. Security team ACK for promoting dotnet10 to main. ** Changed in: dotnet10 (Ubuntu Resolute) Status: New => In Progress ** Changed in: dotnet10 (Ubuntu Resolute) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2134482 Title: [MIR] dotnet10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dotnet10/+bug/2134482/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
