On Sun 15 Oct 2023 17:33:07 +0200, Iustin Pop wrote:
> At least you're not lazy. I am, so what I did many times is add a
> build-depends on pandoc, and write the man page in rst or md. I think
> that's a worse solution (pandoc is really heavy), but at least, I don't
> have to go back to *roff.
FWI
Matthew Garrett writes:
> On Thu, Jul 13, 2023 at 08:03:39PM +0200, Timo Röhling wrote:
>
>> qemu is basically an interpreter for foreign machine code. If your
>> threat model allows access to qemu-user-static for an attacker, they
>> can run pretty much any binary is if it were native, and the w
"Trent W. Buck" writes:
> e.g. I expect "SystemCallArchitectures=native" to break for a lot of
> people (anyone doing dpkg --add-architecture)
Short version:
• SystemCallArchitectures=native + debianutils:i386 doesn't break
dpkg-db-backup.service.
• Probabl
Russ Allbery writes:
> "Trent W. Buck" writes:
>
>> As someone who does that kind of thing a lot, I'd rather have
>> the increased annoyance of opt-out hardening than
>> the reduced security of opt-in hardening.
>> Even if it means I occasionall
Russ Allbery writes:
> [⋯]
> We know which PAM modules are installed and
> can analyze the PAM configuration files to know which ones are configured.
> We know which daemons use PAM.
> We similarly know which NSS modules are enabled.
> We can figure out what facilities they require, and could
> a
Philipp Kern writes:
> On 2023-07-05 09:36, Russell Coker wrote:
>> On Monday, 3 July 2023 22:37:35 AEST Russell Coker wrote:
>>> https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity
> My fear here would be that you are not in control of what your
> dependencies are doing. This is especia
Marco d'Itri writes:
> This is a good example of what an almost fully sandboxed service looks like:
> https://salsa.debian.org/md/rpki-client/-/blob/master/debian/rpki-client.service
My best score is a little better :-)
On Debian 11 (systemd v247):
→ Overall exposure level for collection4.servic
Marco d'Itri writes:
> On Jul 04, Andrey Rakhmatullin wrote:
>
>> Cool but looks like a lot of work.
[...]
>> start with applying all of them and then looking what needs to be
>> disabled?
> This is what I do.
FYI below is my basic workflow.
Once you've done 2-5 daemons, you get a "feel" for
Marco d'Itri writes:
> On Jul 04, "Trent W. Buck" wrote:
>
>> * If it runs its own process manager (e.g. postfix's "master"),
>> don't bother trying to harden it.
> I disagree. It may not be possible to use NoNewPrivileges, but
RL writes:
> Russell Coker writes:
>
>> https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity
>>
>> I think we should make it a release goal to have as many daemons as
>> possible running with systemd security features to aim for a low score
>> from "systmd-analyze security".
>
>
> This re
Paul Wise writes:
> On Tue, 2021-11-16 at 17:57 -0500, Zack Weinberg wrote:
>> Do you know of a tool that does what logcheck does, but operating
>> directly on the journal? Logcheck is the only reason I still have
>> rsyslog installed on the servers I maintain.
>
> https://github.com/cyberitsolu
Package: wnpp
Severity: normal
I request assistance with maintaining the mg package.
There's been a new release waiting to go for months,
but I have been too lazy to do it.
I need someone to either do it or nag me into doing it.
Current mg has a dependency on a new C library "clens".
A working d
Package: wnpp
Severity: wishlist
Owner: "Trent W. Buck" <[EMAIL PROTECTED]>
The rst2pdf utility (see #496864) cannot create hyphenated output
without this library. Therefore I wish to package it for Debian.
Attached is a minimal, draft .diff.gz that I have created.
I do not inte
Package: wnpp
Severity: normal
I request assistance with maintaining the darcs-server package.
Specifically, I need one or two volunteers to help me by testing
prospective packages (prior to uploading to Debian) to make sure that
darcs-server works correctly.
Since I don't use darcs-server perso
pool/main/p/paredit-el
I'm not a DD, so a sponsor is needed to push this change to Debian
proper.
--
Trent W. Buck
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
15 matches
Mail list logo
