[opensuse-factory] Reminder: Dealing with security related rpmlint messages in packages (DBus services, polkit rules, ...)
Hi,
due to the results of a recent security audit for the package
Archiving:Backup/backintime the SUSE security team wants to make
everyone aware how to deal with security related rpmlint messages in
packages.
If during the build of a package messages like these turn up:
- backintime-qt4.noarch: E: suse-dbus-unauthorized-service
- backintime-qt4.noarch: I: polkit-untracked-privilege net.launchpad.backintime.qt4gui
then these packages must not be accepted into openSUSE:Factory before
the security team reviewed the package. After successful review the dbus
services / polkit rules in question will be whitelisted by us and the
rpmlint messages disappear.
These messages *must not* be disabled via the rpmlintrc file of the
package. Please don't create or accept such submissions.
DBus services and polkit rules can easily create loopholes in the
distribution, thus we need to review them before taking them in.
In case of backintime the package slipped into factory, leap 42.{1,2}
(messages disabled via rpmlintrc) and only now we've found security
implications.
Thank you
Matthias
SUSE security team
--
Matthias Gerstner
participants (1)
-
Matthias Gerstner