Control: tags -1 - moreinfo Hi Lorenzo,
On Mon, Mar 17, 2025 at 09:42:51PM +0000, Andrew Bower wrote: > On Mon, Mar 17, 2025 at 12:47:43AM +0100, Lorenzo wrote: > > That said, I know this is your least favorite option, I think there are > > still important details that need to be looked at, and I propose that > > we take the time to do the testing during early Trixie cycle and then > > define the final version of the xchpst integration. > > It seems to work - all in, it's a neat solution. The support for the other, unused, approaches like update-alternatives has now been completely removed in xchpst/0.6.1-1 to keep the footprint small on trixie users' systems, since that logic will not be needed. > > > The '--exit' option was specifically added to return exit code 0 so > > > that it could be used as a test for presence of xchpst - it can also > > > check compatibility with the selected options. > > > > this needs to be thought carefully: a related issue is to decide what to > > do if one or more required hardening options are not applicable; it > > looks like security vs resilience tradeoff. it needs to be sorted out > > in xchpst first. > > Yes, this needs review. We should hope that in most cases, rather than a > trade-off, there is an obvious right answer (abort or continue as best > effort) so we can minimise excess complexity in configuration. The man page, xchpst(8), for xchpst/0.6.1-1 now documents the behaviour for each option that cannot be applied in a table for users. > Thanks again for adding the compat, Your solution seems to work well, thanks - and leads to very clear definitions in service directories! I look forward to seeing what hardening definitions and new service directories runit users come up with on their trixie systems for contributing to forky. Andrew
signature.asc
Description: PGP signature
