Bug#880638: marked as done (release-notes: Document apt sandbox support [buster])

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 9 May 2019 22:00:46 +0200
with message-id <118a5845-8d14-54ec-1c59-1f9eb3d8e17e@debian.org>
and subject line Re: Bug#880638: release-notes: Document apt sandbox support [buster]
has caused the Debian Bug report #880638,
regarding release-notes: Document apt sandbox support [buster]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
880638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880638
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: release-notes: Document apt sandbox support [buster]
• From: Niels Thykier <niels@thykier.net>
• Date: Fri, 03 Nov 2017 07:37:12 +0100
• Message-id: <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net>

Package: release-notes
Severity: wishlist

--- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
apt (1.6~alpha1) unstable; urgency=medium

  All methods provided by apt except for cdrom, gpgv, and rsh now
  use seccomp-BPF sandboxing to restrict the list of allowed system
  calls, and trap all others with a SIGSYS signal. Three options
  can be used to configure this further:

    APT::Sandbox::Seccomp is a boolean to turn it on/off
    APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
    APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow

  Also, sandboxing is now enabled for the mirror method.

 -- Julian Andres Klode <jak@debian.org>  Mon, 23 Oct 2017 01:58:18 +0200


Seems like it would be prudent to mention that in the release-notes
for buster.

Thanks,
~Niels

--- End Message ---

--- Begin Message ---

• To: 880638-done@bugs.debian.org
• Subject: Re: Bug#880638: release-notes: Document apt sandbox support [buster]
• From: Paul Gevers <elbrus@debian.org>
• Date: Thu, 9 May 2019 22:00:46 +0200
• Message-id: <118a5845-8d14-54ec-1c59-1f9eb3d8e17e@debian.org>
• In-reply-to: <[🔎] 32d7964f-a490-d454-e1ca-ce4997585a41@thykier.net>
• References: <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <8bf7dcf2-4fee-5ed8-364c-a82cb1eba08e@thykier.net> <8bf7dcf2-4fee-5ed8-364c-a82cb1eba08e@thykier.net> <c693d0fd-3c8d-820f-e22a-794b93603ad0@debian.org> <c693d0fd-3c8d-820f-e22a-794b93603ad0@debian.org> <150969103297.2406.11516580228555447847.reportbug@mangetsu.thykier.net> <[🔎] 32d7964f-a490-d454-e1ca-ce4997585a41@thykier.net>

On 05-05-2019 20:00, Niels Thykier wrote:
> I think it would make sense for two reasons:
>  1) We had a severe security bug in apt recently and while sandboxing
>     would not have prevented it, it still shows that the apt developers
>     have been working on hardening apt in general and against future
>     threats.
>  2) We advertise apparmor as a new default/recommendation to harden
>     Debian.  The apt sandboxing would strengthen the image of buster
>     providing better (opt-in) security compared to stretch.
> 
> But yes, it should certainly only be in "whats-new" given it is opt-in.

Commit 8bb5c11

Paul

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---