Comment # 3 on bug 1226460 from Matthias Gerstner 
Adding the sub-package for opting out of this is all right, but the way the
change has been implemented seems wrong to me.

The file /usr/lib/sysctl.d/52-yama.conf has been removed from the aaa_base
main package, and now it is packaged in the aaa_base-yama-enable-ptrace
sub-package instead. It's content changed as follows:

    -# legitimate usecases.
    --kernel.yama.ptrace_scope = 1
    +# legitimate usecases, such as calling strace or gdb on other processes.
    +-kernel.yama.ptrace_scope = 0

This means the ptrace limitation is removed completely, and installing the
sub-package doesn't do anything at all anymore.

I'd say what is needed here is an additional sysctl.d drop-in file with higher
priority like 53-yama-dev.conf, packaged in the new sub-package, while the
previous version of 52-yama.conf, which sets ptrace_scope = 1, needs to
stay in the main package.

You are receiving this mail because: