On Sun, Feb 01, 2015 at 10:24:06AM +0100, Niels Thykier wrote: > On 2015-01-30 01:37, Sebastian Reichel wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > > > Please unblock packages: > > * fso-datad > > * fso-deviced > > * fso-frameworkd > > * fso-gsmd > > * fso-usaged > > * phonefsod > > > > Reason: > > > > security update regarding dbus configuration. > > > > I have unblocked all of these,
Thanks. > but I do have a few remarks on: > > > [...] > > unblock fso-frameworkd/0.9.5.9+git20110512-5 > > [...] > > > > This package has a few changes that do not follow the described pattern: Ah right, I forgot to mention those. Basically upstream data looks a bit different for those lines, so the patch pattern also changes. The important part is to remove all individual standing send_path policy rules, since they also are valid for other destinations, which may not evaluate the path at all. > """ > + <policy context="default"> > + <allow own="org.freesmartphone.ogpsd"/> > + <allow own="org.freedesktop.Gypsy"/> > +- <allow send_path="/org/freedesktop/Gypsy"/> > + <allow send_destination="org.freesmartphone.ogpsd"/> > + <allow send_destination="org.freedesktop.gypsy"/> > + </policy> > """ In this case I just dropped the send_path, since I was not sure about upstreams exact motiviation. Since the additional security gain for the send_path restriction is marginal (send_destination is already unique and there is a very low change of another service using the same destination in the future) I dropped the rule instead of risking broken machines. > """ > + <policy context="default"> > + <allow own="org.freesmartphone.odeviced"/> > +- <allow send_path="/"/> > + <allow send_destination="org.freesmartphone.odeviced"/> > + </policy> > """ adding the send_path to the send_destination rule does not add further restrictions => drop it. > [...] -- Sebastian
signature.asc
Description: Digital signature
