MoritzMuehlenhoff added a comment. I don't have any concerns/objections about setting this up, I mostly wanted to know the status of the various countermeasures mentioned in this task.
> What kind of measures do you propose? systemd supports various features to restrict running processes, e.g. for restricting filesystem access or through disallowing potentially harmful syscalls using seccomp-bpf. This doesn't need to be present in the initial deployment, but it would be good to add in a followup step. TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp, MoritzMuehlenhoff Cc: ksmith, JanZerebecki, Bene, MoritzMuehlenhoff, GWicke, Thompsonbry.systap, Smalyshev, Joe, Liuxinyu970226, csteipp, Beebs.systap, Haasepeter, Aklapper, Manybubbles, jkroll, Wikidata-bugs, Jdouglas, aude, Krenair, Malyacko _______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
