Hi Salvatore, Security Team, On Tue, Feb 04, 2025 at 11:58:44AM +0100, Chris Hofstaedtler wrote: > On Fri, Jan 24, 2025 at 09:56:57AM +0000, Luca Boccassi wrote: > > On Fri, 24 Jan 2025 01:38:21 +0100 Chris Hofstaedtler <z...@debian.org> > > wrote: > > > Control: tags -1 - moreinfo > > > > > > On Thu, Jan 23, 2025 at 07:18:39PM +0000, Luca Boccassi wrote: > > > > On Thu, 23 Jan 2025 18:17:28 +0100 Chris Hofstaedtler > > <z...@debian.org> > > > > wrote: > > > > > Source: systemd > > > > > Version: 257.2-2 > > > > > > > > > > please apply this commit to the systemd that trixie will get: > > > > > > > > > > > > > > > > https://github.com/systemd/systemd/commit/a4d18914751e687c9e44f22fe4e5f95b843a45c8 > > > > > > > > > > It already changes the default to the value that we want (0600). > > > > > > > > This is quite an invasive patch, that would make stable release > > > > maintenance more painful and time consuming. Can it not wait for > > Forky? > > > > Are there any pressing issues that would be solved with this > > backport? > > > > > > The old defaults are a partial security problem (depending on who > > > you ask). Previously users could call "mesg n" to be safe, and some > > > root bashrcs seem to do that (maybe even by default in some > > > releases).
[restoring some snipped context] > > > Given Debian had secure defaults before systemd was introduced, no, > > > waiting because the systemd patch to do the right thing is too > > > invasive, is IMO not an option. > > > > > > TBH most of the meson diff doesn't need to exist in Debian, and then > > > the actually changed lines are like 5 in total. [/] > > Can you please clarify the security problem it solves on the upstream > > PR? If that's the case then it's a candidate for upstream stable > > backports too, and then it can be picked from there > > Here: > https://github.com/systemd/systemd/issues/35599#issuecomment-2633559542 Adding you to this bug for awareness. Chris
