Hi Antonio, On Fri, May 09, 2025 at 08:31:22AM -0600, Antonio Russo wrote: > I'd also like to confirm there is a policy (or at least agreement) > that running code as root unnecessarily is a problem.
Quoting https://release.debian.org/trixie/rc_policy.txt : In addition to the issues listed in this document, an issue is release critical if it: * introduces a security hole on systems where you install the packages (these issues are "critical" severity) 5. General (b) Security Programs must be setup to use the minimum privileges they can. (ie, not setuid where setgid will suffice; not setuid root where setuid some other user will suffice; setuid root for the minimum period possible, etc) > I bring that up because I'm concerned that the bug I filed may go > ignored. You need to tag security bugs as 'security' in reportbug. Then they get CCed to the right people and won't be ignored. You can do this after the fact by responding to the bug, adding secur...@debian.org to CC and putting the following in the first lines of your mail to add the tag: Control: tags -1 + security Ideally you should explain in your message what the security impact of this bug is in your view. Thanks, --Daniel
signature.asc
Description: PGP signature
