Your message dated Thu, 9 May 2019 22:00:46 +0200 with message-id <118a5845-8d14-54ec-1c59-1f9eb3d8e17e@debian.org> and subject line Re: Bug#880638: release-notes: Document apt sandbox support [buster] has caused the Debian Bug report #880638, regarding release-notes: Document apt sandbox support [buster] to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 880638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880638 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: release-notes: Document apt sandbox support [buster]
- From: Niels Thykier <niels@thykier.net>
- Date: Fri, 03 Nov 2017 07:37:12 +0100
- Message-id: <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net>
Package: release-notes Severity: wishlist --- News for apt (libapt-pkg5.0 libapt-inst2.0) --- apt (1.6~alpha1) unstable; urgency=medium All methods provided by apt except for cdrom, gpgv, and rsh now use seccomp-BPF sandboxing to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. Three options can be used to configure this further: APT::Sandbox::Seccomp is a boolean to turn it on/off APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow Also, sandboxing is now enabled for the mirror method. -- Julian Andres Klode <jak@debian.org> Mon, 23 Oct 2017 01:58:18 +0200 Seems like it would be prudent to mention that in the release-notes for buster. Thanks, ~Niels
--- End Message ---
--- Begin Message ---
- To: 880638-done@bugs.debian.org
- Subject: Re: Bug#880638: release-notes: Document apt sandbox support [buster]
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 9 May 2019 22:00:46 +0200
- Message-id: <118a5845-8d14-54ec-1c59-1f9eb3d8e17e@debian.org>
- In-reply-to: <[🔎] 32d7964f-a490-d454-e1ca-ce4997585a41@thykier.net>
- References: <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <8bf7dcf2-4fee-5ed8-364c-a82cb1eba08e@thykier.net> <8bf7dcf2-4fee-5ed8-364c-a82cb1eba08e@thykier.net> <c693d0fd-3c8d-820f-e22a-794b93603ad0@debian.org> <c693d0fd-3c8d-820f-e22a-794b93603ad0@debian.org> <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <[🔎] 32d7964f-a490-d454-e1ca-ce4997585a41@thykier.net>
On 05-05-2019 20:00, Niels Thykier wrote: > I think it would make sense for two reasons: > 1) We had a severe security bug in apt recently and while sandboxing > would not have prevented it, it still shows that the apt developers > have been working on hardening apt in general and against future > threats. > 2) We advertise apparmor as a new default/recommendation to harden > Debian. The apt sandboxing would strengthen the image of buster > providing better (opt-in) security compared to stretch. > > But yes, it should certainly only be in "whats-new" given it is opt-in. Commit 8bb5c11 PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---