jmm at inutil.org
Wed Oct 14 10:08:19 BST 2020
On Wed, Oct 14, 2020 at 10:59:18AM +1030, Andrew Savchenko wrote:
> Package: systemd
> Version: 241-7~deb10u4
> Tags: security, buster, bullseye
> Severity: wishlist
> Dear Maintainers,
> Among others, /usr/bin/systemd-analyze can be called with "security" parameter
> which shows sandboxing settings of the loaded units on the scale from 0 to 10.
> On Debian v10.6 vast majority of the services are reported as "unsafe" with
> exposure score >9. This includes sshd, unattended-upgrades and others.
> Is there a plan to improve situation for Bullseye? I think maintainers of
> Whonix project, which is based on Debian, are using it for some services they
> ship in addition to base (sdwdate, onion-grater, etc).
what you can do is to fetch systemd units for services that interest you from
Whonix and diff them against the current versions in Debian unstable.
If there's a difference and the Debian package with updated systemd unit continues
to work fine in your tests, submit it as a patch to the Debian BTS or a merge request
for Salsa/Gitlab for the respective packages so that the maintainer can evaluate them.
More information about the Pkg-systemd-maintainers