Hi,
This is an update on the MBF for `Rules-Requires-Root: no` as the new
default.
# Qualitative updates:
* The bugs have all been filed. Most where filed on Dec 7, but I had
to file 15 special cases manually, which happened Dec 14.
* A number of permission denied issues have been iden
16.12.2024 20:55, Michael Tokarev wrote:
16.12.2024 20:08, Russ Allbery wrote:
So, I wouldn't object to undoing that given upstream's stance, but maybe
it would be good to do that in conjunction with adding more hardening to
the default configuration with systemd? systemd-analyze security
postf
* Guillem Jover [2024-11-22 12:29]:
[...]
> * There were concerns (from Fay) about whether given same input the
> output changes per arch or hw setup, we'd need to check this; I'd
> expect this not to be the case for different arches, but it might
> be an issue with number of cores f
On Mon, 2024-12-16 at 21:21 +0300, Michael Tokarev wrote:
> It turns out the reason for this is a myth, which we believed to for
> 25 years - a myth that "On FreeBSD, chroot is painless, but on Linux,
> chroot never works and is only suitable for the ones who want pain".
> Actually, it looks like,
Package: wnpp
Severity: wishlist
Owner: Arthur Diniz
* Package name: golang-k8s-sigs-kustomize-cmd-config
Version : 0.15.0-1
Upstream Author : Kubernetes SIGs
* URL :
https://github.com/kubernetes-sigs/kustomize/tree/master/cmd/config
* License : Apache-2.0
Package: wnpp
Severity: wishlist
Owner: Arthur Diniz
* Package name: golang-k8s-sigs-kustomize-api
Version : 0.18.0-1
Upstream Author : Kubernetes SIGs
* URL : https://github.com/kubernetes-sigs/kustomize/tree/master/api
* License : Apache-2.0
Programming Lan
Package: wnpp
Severity: wishlist
Owner: Arthur Diniz
* Package name: golang-k8s-sigs-kustomize-kyaml
Version : 0.18.1-1
Upstream Author : Kubernetes SIGs
* URL :
https://github.com/kubernetes-sigs/kustomize/tree/master/kyaml
* License : Apache-2.0
Programmin
16.12.2024 20:45, Marco d'Itri wrote:
On Dec 16, Michael Tokarev wrote:
What do you think about this aspect of postfix on debian?
I do not remember ever having any issues about this, and I have been
using Postfix since before it was called Postfix. But if Wietse says
that a chroot default is
16.12.2024 20:08, Russ Allbery wrote:
So, I wouldn't object to undoing that given upstream's stance, but maybe
it would be good to do that in conjunction with adding more hardening to
the default configuration with systemd? systemd-analyze security
postfix@- shows a whole lot of things that coul
On Dec 16, Michael Tokarev wrote:
> What do you think about this aspect of postfix on debian?
I do not remember ever having any issues about this, and I have been
using Postfix since before it was called Postfix. But if Wietse says
that a chroot default is not worth it then I fully trust him.
On 12/16/24 17:45, rhys wrote:
> However, privilege escalation is still a serious issue and should not be
> minimized by its likelihood.
I didn't, my point is that I think they are better/more effectively
adressed with other mechanims (systemd unit hardening) than chroot.
> The "REAL" danger is t
Michael Tokarev writes:
> The problem though, arises in 2 places.
> 1. Extra nsswitch modules, such as mdns, systemd-resolved (which is
>optional since resolv.conf works), and so on, which expects their
>files to be in the chroot jail (exacly like on FreeBSD with this
>same mechanism
Please read all the way to the bottom before replying. It will save time.
> a) single power-user system (notebook/desktop) which has a local MTA
> to send their own mail out to a proper mail server somewhere on the
> internet
> b) running a proper mail server on the internet
>
> I do b
Dear Debian,
We have discovered that the public IP address of deb.debian.org, which is used
to access the Debian repositories, is listed as a threat or malicious IP
address on http://brightcloud.com/support/lookup.php.
Despite attempting to submit this IP address for removal from the threat list
Hi,
first - thanks a lot for working on postfix packaging, it really needs
some love.
On 12/16/24 15:51, Michael Tokarev wrote:
> What do you think about this aspect of postfix on debian?
my opinion in short: I would get rid of the chrooted complexity, it's
not worth it and introduces way more p
Hi!
For 25 years, Postfix the MTA in Debian has been setup to run chrooted by
default (that's where most postfix internal components run chrooted in
/var/spool/postfix/, to limit possible system damage after a possible
compromise).
This setup has been criticized for 25 years, because of signific
Package: wnpp
Severity: wishlist
Owner: Mike Gabriel
X-Debbugs-Cc: debian-devel@lists.debian.org
* Package name: qtorganizer-mkcal
Version : 0.1.0
Upstream Contact: Damien Caliste (https://github.com/dcaliste)
* URL : https://github.com/dcaliste/qtorganizer-mkcal
* Lic
Package: wnpp
Severity: wishlist
Owner: Karsten Schoeke
X-Debbugs-Cc: debian-devel@lists.debian.org
* Package name: mkdocs-static-i18n
Version : 1.2.3
Upstream Contact: ultrabug
* URL : https://github.com/ultrabug/mkdocs-static-i18n
* License : MIT/X
Program
18 matches
Mail list logo
