Re: man-db hardening fixes

[Colin Watson <cjwatson@debian.org>]

On Thu, Feb 01, 2024 at 05:41:19PM +0530, Utkarsh Gupta wrote:
> On Thu, Feb 1, 2024 at 1:44 AM Colin Watson <cjwatson@debian.org> wrote:
> > I'm both the Debian and upstream maintainer of man-db.  I'm considering
> > uploading some variation of the attached diff to buster-security LTS.
> > They're adjustments to hardening arrangements, so they do have some
> > security relevance, although I'm aware they aren't really security fixes
> > as such; nevertheless, I'd like to make these changes since it's better
> > than having people get into the habit of disabling hardening measures
> > that get in their way.
> >
> > Would anyone like to review this?  FWIW, my assessment is that these
> > changes are low-risk in terms of regression potential, since they just
> > add a couple of extra entries to existing rulesets and so shouldn't
> > disallow anything that's currently allowed.
> 
> Whilst the debdiff looks good, I see that you haven't unaplied the
> patch as I can still see changes in lib/sandbox.c in the diff. I am
> hoping that's what has happened.

That's just the effect of me using "git diff" to simulate debdiff when
also using git-dpm, which maintains the git working tree in a
patches-applied state.  Sorry for the confusion.

> The changelog entry timestamp also might need a refresh. It says -
> Sat, 31 Aug 2019. :)

Oh yeah, I queued up the first of those two patches a long time ago and
then never got round to organizing an actual stable update for it. :-)
I'll run "dch -r" before uploading, of course.

> Other than the above two points, it looks good, please go ahead.

Thanks, will do.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]