[Pkg-privacy-maintainers] Bug#1021911: mailto:submit at bugs.debian.org
Paul Wise
pabs at debian.org
Tue Nov 15 00:08:07 GMT 2022
Control: block 1021911 by 502580 970827
Control: retitle 1021911 obfs4proxy: preserve user capability overrides on upgrade
On Mon, 2022-10-17 at 11:29 +0200, Toralf Förster wrote:
> During update the package overwrites an installed /usr/bin/obfs4proxy
> without preserving the capabilities, eg. set by
>
> setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
Unfortunately, dpkg-statoverride doesn't yet support capabilities
(#502580), so preserving capability changes isn't easily possible and
dpkg and the .deb format doesn't yet support capabilities (#970827) so
obfs4proxy can't easily ship with reliably supported capabilities.
In theory there could be a complicated dance with preinst/postinst
scripts checking for overrides and restoring them after upgrade, but
that would be difficult, so might be best to wait for dpkg support.
One workaround would be for you to add an apt hook for this:
/etc/apt/apt.conf.d/99-obfs4proxy-capability:
DPkg::Post-Invoke { "setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy"; };
This would be invoked after every single upgrade that apt does.
Other workaround would be for you to add a dpkg hook for this:
/etc/dpkg/dpkg.cfg.d/obfs4proxy-capability:
post-invoke=setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
This would be invoked after every single upgrade that dpkg does.
If you are using a metapackage to setup your system it could a trigger
on the obfs4proxy binary, which would only run on obfs4proxy upgrades.
In all of these workarounds there will a window of time where the
capability will not be set, so restarting tor/obfs4proxy during those
windows might cause the problem that you discovered.
> BTW, shouldn't an upgrade of obfs4proxy restart Tor unconditionally?
I'm not one of the Tor/obfs4proxy maintainers, so I can't answer that.
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20221115/477828bd/attachment.sig>
More information about the Pkg-privacy-maintainers
mailing list