Quoting Johannes Schauer Marin Rodrigues (2021-05-05 18:37:35) > Hi, > > Quoting Benjamin Drung (2021-05-05 18:17:23) > > /bin/ping (from iputils-ping) uses the security capabilities to allow users > > to use the program: > > > > ``` > > $ getcap /bin/ping > > /bin/ping cap_net_raw=ep > > ``` > > > > When generating a squashfs images with mmdebstrap, these security > > capabilities are lost. Example for a minimal chroot on Debian unstable: > > > > ``` > > $ apt install -y bdebstrap mmdebstrap squashfs-tools-ng > > $ mkdir -p ~/.ssh > > $ touch ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys > > $ bdebstrap -c /usr/share/doc/bdebstrap/examples/Debian-buster-live.yaml > > --packages iputils-ping -n example2 > > [...] > > W: tar2sqfs does not support extended attributes > > [...] > > $ rdsquashfs -x /bin/ping example2/root.squashfs > > $ > > ``` > > > > Adding `push @taropts, '--xattrs';` after the tar2sqfs warning line 5355 > > will produce a squashfs image that contains the security capabilities: > > > > ``` > > $ rdsquashfs -x /bin/ping example2/root.squashfs > > security.capability=0x0100000200200000000000000000000000000000 > > ``` > > > > This test was done on Debian unstable and Debian bullseye with mmdebstrap > > 0.7.5-2 and squashfs-tools-ng 1.0.4-1. > > interesting! As you can see from the warning in line 5355, extended attributes > used to not work with tar2sqfs and it's awesome if that's working now! > > Though I'm afraid this is not a change that will make it unto bullseye unless > you have special friends in the release team. ;)
Sure? As I understand it, packages still get accepted when a) they are non-core and b) has a testsuite - after a 20-day migration delay. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
