On Mon 04/09 14:02, Adam Borowski wrote: > On Mon, Apr 09, 2018 at 05:29:14PM +0800, Yanhao Mo wrote: > > Hi, Adam > > Very thanks for checking my package and pointing these issues. > > I have communicate with upstream author of deepin-system-monitor, and he > > confirmed these security problems. As a result, he is willing to modify > > d-s-m sources to limited the privilege operations within a very small > > helper program with some capabilities, at the same time he > > will refactor gui program of d-s-m to perform these operations by > > sending request to the helper program via dubs. The helper program will > > refuse any other request which is not sent from d-s-m. > > You might want to ask someone with a clue about policykit/etc for advice. I > don't currently even know where to look. > > > I hope this will fix these issues. And that will take some times. So > > let's wait. > > There's no hurry -- Ubuntu is long since frozen, Debian won't freeze until > November or December. > > But, you might want to just drop the caps: a system monitor that can kill > only your own processes is pretty useful; this is what all other similar > tools do. Elevating to kill others might be useful but is not the primary > feature I'd expect from such a program. > > Obviously, this is moot if you prefer to wait for the full fix. > > > For the nethogs part, the situation is: d-m-s need a library from > > it, but the nethogs maintainer of debian doesn't package libnethogs > > separately, we(pkg-deepin team) have already request for that [1], but > > got no reply. So I decided to use the nethogs sources within upstream > > d-m-s source tree directly to build d-m-s. Maybe this is a bad idea? > > Maybe it's better to take a nmu upload for nethogs? Some advice is > > very appreciated. > > Looking at the maintainer's QA page: > https://qa.debian.org/developer.php?email=kretcheu%40gmail.com > I see he's not very active but nowhere close to being gone (did three > uploads of other packages this year). It's likely he saw the request but > couldn't act on it immediately -- what about pinging him if that's the case? > Also, most people are a lot more willing to accept a patch compared to being > told to do the work themselves. > > > > d-s-m crashed for me twice (segfault) while casually perusing it, > > As for this. The upstream author says It's very sorry for the insufficient > > testing. He will try his best to find why and fix it. > > It seems both of these segfaults happened while shutting down the program. > > > Meow! > -- > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢰⠒⠀⣿⡁ > ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC? > ⠈⠳⣄⠀⠀⠀⠀ I will try to communicate more with the upstream author several times, to help him to believe policykit is a better solution before he start to refactor the code. During this time, I will prepare a patch set and send to nethogs maintainer to try to solve the libnethogs problem. Thanks the advice about this :) . -- Yanhao Mo
Attachment:
signature.asc
Description: PGP signature