Package: lintian Version: 2.5.112 Severity: normal Dear Maintainer,
I think it would be useful if we got some more widespread usage of the security features available in systemd service units. I'm not sure how to properly check if a service uses a good amount hardening/security options, but I think currently there's enough services in debian that uses *none* that it's probably useful to just check and warn about that. Hopefully once a maintainer starts looking at this at all (s)he will discover and use more than one. Hopefully also starting a discussion with their upstream which might even improve and refine further for upcoming releases. One can always dream right? Maybe in the future lintian can leverage something of the recently implemented things in systemd tooling that was recently mentioned at: https://twitter.com/pid_eins/status/1060881595106762752 (and other previous tweets) As a start for now we could do something like: grep -qE '^#?P(protect|rivate)' $FOOSERVICE || echo "Please enable some security options for your service" Relevant links to show in the lintian tag: http://0pointer.de/blog/projects/security.html https://www.freedesktop.org/software/systemd/man/systemd.exec.html man:systemd.exec(5) While working with these security options is much easier than using something like selinux or apparmour, there's still potential for getting things wrong. I think it would be useful to mention in the lintian tag description that people should collaborate with their upstreams about the changes (and in general upstream their service files rather than carry them in debian/*.service). Regards, Andreas Henriksson