Re: man-db hardening fixes

To: Colin Watson <cjwatson@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: man-db hardening fixes
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Mon, 5 Feb 2024 11:33:41 -0300
Message-id: <[🔎] ZcDxxWiweW63Pp1h@novelo>
In-reply-to: <[🔎] Zbud_2kbxf2ew86M@riva.ucam.org>
References: <ZbqqEjk9w37GmK9o@riva.ucam.org> <[🔎] CAPP0f96qyWwzeaHgq1-_gNoC60yb2ysgp13UTnQ=wjSGPOcpBQ@mail.gmail.com> <[🔎] Zbud_2kbxf2ew86M@riva.ucam.org>

El 01/02/24 a las 13:34, Colin Watson escribió:
> On Thu, Feb 01, 2024 at 05:41:19PM +0530, Utkarsh Gupta wrote:
> > On Thu, Feb 1, 2024 at 1:44 AM Colin Watson <cjwatson@debian.org> wrote:
> > > I'm both the Debian and upstream maintainer of man-db.  I'm considering
> > > uploading some variation of the attached diff to buster-security LTS.
> > > They're adjustments to hardening arrangements, so they do have some
> > > security relevance, although I'm aware they aren't really security fixes
> > > as such; nevertheless, I'd like to make these changes since it's better
> > > than having people get into the habit of disabling hardening measures
> > > that get in their way.
> > >
> > > Would anyone like to review this?  FWIW, my assessment is that these
> > > changes are low-risk in terms of regression potential, since they just
> > > add a couple of extra entries to existing rulesets and so shouldn't
> > > disallow anything that's currently allowed.
> > 
> > Whilst the debdiff looks good, I see that you haven't unaplied the
> > patch as I can still see changes in lib/sandbox.c in the diff. I am
> > hoping that's what has happened.
> 
> That's just the effect of me using "git diff" to simulate debdiff when
> also using git-dpm, which maintains the git working tree in a
> patches-applied state.  Sorry for the confusion.
> 
> > The changelog entry timestamp also might need a refresh. It says -
> > Sat, 31 Aug 2019. :)
> 
> Oh yeah, I queued up the first of those two patches a long time ago and
> then never got round to organizing an actual stable update for it. :-)
> I'll run "dch -r" before uploading, of course.
> 
> > Other than the above two points, it looks good, please go ahead.
> 
> Thanks, will do.

Hi Colin,

And thanks for taking care of man-db in buster too :-)

As part of the LTS workflow, we keep information about VCS of the
packages uploaded, including git tags for every upload.

Would you be OK to keep the LTS version commits in
https://salsa.debian.org/debian/man-db ?
If yes, it would be needed to create a (debian/)buster branch, and tag
the commit you recently released. I could also do it if you wish.

If you prefer to keep a separate repository, I will fork it under the
lts-team/packages namespace and will do the relevant tasks there.

Cheers!

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: man-db hardening fixes
  - From: Colin Watson <cjwatson@debian.org>

References:
- Re: man-db hardening fixes
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
- Re: man-db hardening fixes
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: (E)LTS report for January 2024
Next by Date: Re: man-db hardening fixes
Previous by thread: Re: man-db hardening fixes
Next by thread: Re: man-db hardening fixes
Index(es):
- Date
- Thread