amurray | mcphail: fyi I'm expecting this to be resolved in more like 7 days than a couple of weeks - so will keep pushing on things internally and let you know asap - again, apologies for all the delays on this | 00:07 |
---|---|---|
amurray | blahdeblah: yeah that is a great idea - it would be really interesting to do the analysis to (hopefully) show that since we rebase our kernels on the various stable trees etc that we do not suffer from this | 00:12 |
blahdeblah | amurray: Yeah, my feeling after reading it was similar, and I did question their methodology a bit, but not being an expert in the area I couldn't be definitive. | 00:13 |
amurray | or perhaps it would be enough just to compare open CVEs in our kernels vs RHEL (but in general I don't think anything good ever comes of doing direct comparisons with our peers, particularly if we do it and then try and say - "look how much more secure we are") - instead would just be good to show an analysis that reassures users that Ubuntu *is* secure since we do incorporate all the patches and leave out the comparison bit | 00:15 |
=== chris14_ is now known as chris14 | ||
blahdeblah | amurray: +1 | 07:58 |
mcphail | amurray: thanks again | 08:17 |
ahasenack | georgiag: hi, I just had a bug filed about something I wasn't expecting in apparmor rules, | 19:30 |
ahasenack | georgiag: impact of usr-merge in apparmor profiles, when ugprading from pre-usr-merge distros | 19:30 |
ahasenack | case in point was bionic -> focal upgrade | 19:30 |
ahasenack | in fresh bionic: /bin/uname | 19:30 |
ahasenack | in fresh focal: /usr/bin/uname | 19:30 |
ahasenack | in focal upgraded from bionic: /bin/uname | 19:31 |
ahasenack | (uname is just an example: anything in /bin/ in bionic, if present in an apparmor rule that does not use /{,usr/}, will fail in the upgraded system | 19:31 |
ahasenack | I had a nice "%if bionic" in the apparmor template, and was accounting for these differences where needed, but always assuming the "fresh" installation case | 19:32 |
ahasenack | this upgrade-from-bionic got me | 19:32 |
ahasenack | do you remember similar bugs back in 2020 (focal's release), from people upgrading from bionic to focal? Just trying to get some an idea if there is a pattern to addressing this | 19:33 |
georgiag | ahasenack: I will have to dig a little bit to find out if there are/were other cases. | 19:34 |
ahasenack | no need, if you don't remember, then they were likely not important or relevant | 19:34 |
georgiag | I had this issue in one of the apparmor tests actually | 19:35 |
ahasenack | or common | 19:35 |
georgiag | I joined in 2021 so there might be some cases I haven't looked at yet :) | 19:36 |
ahasenack | hah :) | 19:36 |
sdeziel | in custom made profile, this usr-merge difference on dist-upgraded machines also bit me, annoying ;) | 19:42 |
ahasenack | yeah | 19:42 |
ahasenack | I'm going over every bin invocation | 19:42 |
ahasenack | so far it's ps and uname | 19:42 |
ahasenack | ah, and systemctl | 19:42 |
ahasenack | these live in /bin in bionic | 19:43 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!