Re: systmd-analyze security as a release goal

To: debian-devel@lists.debian.org
Subject: Re: systmd-analyze security as a release goal
From: "Trent W. Buck" <trentbuck@gmail.com>
Date: Wed, 05 Jul 2023 11:18:57 +1000
Message-id: <[🔎] 871qhntata.fsf@gmail.com>
References: <[🔎] 13735258.RDIVbhacDa@cupcakke> <[🔎] 86jzvg6btb.fsf@simplex.rtf.org.uk> <[🔎] ZKNAQjX6pqHUceNK@bongo.bofh.it>

Marco d'Itri <md@Linux.IT> writes:
> This is a good example of what an almost fully sandboxed service looks like:
> https://salsa.debian.org/md/rpki-client/-/blob/master/debian/rpki-client.service

My best score is a little better :-)

On Debian 11 (systemd v247):
→ Overall exposure level for collection4.service: 0.2 SAFE 😀
→ Overall exposure level for rpki-client.service: 1.7 OK 🙂

On Sid (systemd v253):
→ Overall exposure level for collection4.service: 0.4 SAFE 😀
→ Overall exposure level for rpki-client.service: 1.8 OK 🙂

https://github.com/trentbuck/collection4/blob/main/debian/service


PS: I worked out to invoke it in offline mode (for lintian) you do this:

      systemd-analyze --offline=yes ./path/to/foo.service

    I didn't understand (from the manpage) that I could pass a file instead of a unit name, so
    I wasted a lot of time trying to make a minimal --root=tmpdir work.
    Also it won't accept "./debian/service", nor a symlink to same.

Reply to:

References:
- systmd-analyze security as a release goal
  - From: Russell Coker <russell@coker.com.au>
- Re: systmd-analyze security as a release goal
  - From: RL <richard.lewis.debian@googlemail.com>
- Re: systmd-analyze security as a release goal
  - From: Marco d'Itri <md@Linux.IT>

Prev by Date: Re: systmd-analyze security as a release goal
Next by Date: Re: systmd-analyze security as a release goal
Previous by thread: Re: systmd-analyze security as a release goal
Next by thread: Re: systemd-analyze security as a release goal
Index(es):
- Date
- Thread