Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: mini-httpd@packages.debian.org Control: affects -1 + src:mini-httpd Please unblock package mini-httpd Hi, the lack of autopkgtests in mini-httpd blocks the transition from 1.30-12 to 1.30-13 to testing. There were no tests when I rescued the package and I didn't have enough time to write some yet. I'd really need this version to make its way into Trixie as it fixes a nasty bug affecting 12 and some previous versions. Detailing below. Specifically, 1.30-13 closes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105097 In a nutshell, the included systemd service has hardening enabled and by default in 1.30-12, blacklists the chroot syscall wrongly. This results in the config option chroot=1 (which is quite commonly used, hence the issue) breaking, the server fails to start. If users upgrading from bookworm have chroot=1, their web server will magically be broken in trixie. This is fixed in 13 by whitelisting the chroot syscall. This used to work long before because there was no systemd service to begin with. I approve all changes, as I am the only maintainer here and wrote all the patches. I attach the debdiff which is tiny, there is a single relevant line in the mini-httpd.service file. The rest is only changelog and updated copyright years. Thank you very much and I hope the transition happens in time for trixie. Please mail me if you need any other information whatsoever. Have a great day, Alexandru Mihail mini-httpd maintainer unblock mini-httpd/1.30-13
diff -Nru mini-httpd-1.30/debian/changelog mini-httpd-1.30/debian/changelog
--- mini-httpd-1.30/debian/changelog 2025-03-09 13:51:39.000000000 +0200
+++ mini-httpd-1.30/debian/changelog 2025-05-12 18:25:39.000000000 +0300
@@ -1,3 +1,12 @@
+mini-httpd (1.30-13) unstable; urgency=medium
+
+ * Adds chroot syscall exception to SystemCallFilter in the service.
+ This allows operation in chroot mode when using the service.
+ (Closes: #1105097)
+ * Update copyright years for debian scripts.
+
+ -- Alexandru Mihail <alexandru.mihail2897@gmail.com> Mon, 12 May 2025 18:25:39 +0300
+
mini-httpd (1.30-12) unstable; urgency=medium
* Declare compliance with Standards-Version 4.7.2. (no changes required).
diff -Nru mini-httpd-1.30/debian/copyright mini-httpd-1.30/debian/copyright
--- mini-httpd-1.30/debian/copyright 2023-12-03 23:57:54.000000000 +0200
+++ mini-httpd-1.30/debian/copyright 2025-05-12 18:15:43.000000000 +0300
@@ -56,7 +56,7 @@
Files: debian/*
Copyright: 2006-2015 Marvin Stark <marv@der-marv.de>
2015 Jose dos Santos Junior <j.s.junior@live.com>
- 2023 Alexandru Mihail <alexandru.mihail2897@gmail.com>
+ 2023-2025 Alexandru Mihail <alexandru.mihail2897@gmail.com>
License: BSD-2-clause
License: BSD-2-clause
diff -Nru mini-httpd-1.30/debian/mini-httpd.service mini-httpd-1.30/debian/mini-httpd.service
--- mini-httpd-1.30/debian/mini-httpd.service 2024-04-14 15:08:04.000000000 +0300
+++ mini-httpd-1.30/debian/mini-httpd.service 2025-05-12 17:54:03.000000000 +0300
@@ -15,6 +15,7 @@
CapabilityBoundingSet=~CAP_BPF CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_TTY_CONFIG \
CAP_SYS_BOOT CAP_MAC_* CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_PTRACE
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @reboot @raw-io
+SystemCallFilter=chroot
RestrictNamespaces=~uts ipc pid user cgroup
ProtectKernelTunables=yes
ProtectKernelModules=yes
Attachment:
signature.asc
Description: This is a digitally signed message part