Hi, I've made a new upload of schroot to unstable which fixes a few security- and upgrade-related bugs. The bulk of the changes are documentation (manual pages, release notes and changelogs). The code changes are tiny, but are important to have to upgrade from lenny cleanly and fully document security issues and program behaviour. Please could you consider unblocking for squeeze? Thanks, Roger #601043, #605939: Upgrade failure when upgrading from lenny. The restrictions on valid filenames were make much stricter in 1.4.0 (later than Lenny), meaning many configurations are broken when upgrading. After auditing all validation and usage paths in the code, I've relaxed the naming restrictions such that it remains secure, but allows most names which were valid in lenny. There's a complete rationale for the naming restrictions in schroot.conf(5). #605950 This is a regression which results in mount options in the configuration file being ignored. They are now correctly preserved. #606162 This is a performance regression which caused schroot to run extremely poorly on large heavily loaded systems; this speeds up session cleanup by orders of magnitude by using shell builtins rather than invoking readlink once per running process on the system #587758 Documentation of security issues relating to configuration #599380 Documentation update (non-essential) schroot (1.4.16-1) unstable; urgency=low * New upstream stable release. * Document schroot -- option delimiter in schroot(1) (Closes: #599380). * Document security implications of bind-mounting /dev and other filesystems in schroot.conf(5) (Closes: #587758). * Relax chroot naming restrictions (Closes: #601043, #605939). The name may not contain a leading period (‘.’). The characters ‘:’ (colon), ‘,’ (comma) and ‘/’ (forward slash) are not permitted anywhere in the name. The name may also not contain a trailing tilde ('~'). Otherwise any characters are permitted. * 10mount: Respect mount options from configuration for all mountable chroot types (Closes: #605950). Thanks to Nelson Elhage for this patch. * 15killprocs: Improve performance by omitting a readlink call for each process running on the system, leading to a significant reduction in overhead on busy systems (Closes: #606162). Thanks to Anders Kaseorg for this patch. -- Roger Leigh <rleigh@debian.org> Tue, 07 Dec 2010 12:29:25 +0000 Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Attachment:
signature.asc
Description: Digital signature