tl/dr: I started reviewing this request, but didn't finish.
The biggest thing I tripped over was that the debdiff is against current stretch, not against stretch-security. So I found myself seeing changes in the diff which had already been made on stretch installations, in practice. Is this normal ? IMO a debdiff against the most recent update, including any security update, would be much more useful. I stopped when I noticed this, so my review was incomplete. But, I found, while reading the diff, that the extra code to fix the permissions code is large and complicated. OTOH I'm not sure we can afford not to have it. OTOH most of the changes described in the changelog sound like ones we would want to take for stretch-updates. The only one I'm a bit wary of is this one + - Let KDE apps bind-mount ~/.config/kdeglobals into the sandbox: whose security implications I don't feel I understand. Is there any more discussion of that ? Thanks, Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
