SECURITY IMPORTANCE - recommend reading for systemd packaging tldr: https://jira.mariadb.org/browse/MDEV-36229 Thanks for sharing Otto, Note the IPC Lock commit https://salsa.debian.org/mariadb-team/mariadb-server/-/commit/172c7d3fa579e5... was something I reverted on https://github.com/MariaDB/server/pull/3157 after an obscure case of using env OPENSSL_CONF to control settings was incompatible with any setcap cap_ipc_lock+ep on the mariadbd executable. With https://jira.mariadb.org/browse/MDEV-36229 that came in a a few hours ago, I think that CAP_DAC_OVERRIDE CAP_AUDIT_WRITE moving with CAP_IPC_LOCK to AmbientCapabilities was probably a mistake. In the systemd service files the following probably a much safer option. This is the one I'm considering. CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE AmbientCapabilities=CAP_IPC_LOCK If packagers truly want a safe option probably: CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE This is better though that means users have a choice of env OPENSSL_CONFIG or --memlock depending on if they use secap themself on the executable. Noting I haven't looked strongly at how the Debian PAM needs DAC/AUDIT_WRITE beyond the systemd service file comments. Short of arguing with OpenSSL devs about AT_SECURITY (oh wait, I did - https://github.com/openssl/openssl/issues/21770) I couldn't see an easy packaging resolution. Thanks for your attention to packaging MariaDB. On Thu, 6 Mar 2025 at 02:30, Otto Kekäläinen via packagers < packagers@lists.mariadb.org> wrote:
Hi!
As packaging occasionally requires some decisions of what to include or exclude, I wanted to share to other packagers here what we ended up doing for the official Debian and Ubuntu repositoriesÖ
The next uploads in line are ready for review at:
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/102 Prepare MariaDB Server 1:11.4.5-1 minor maintenance release for Debian
unstable
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/98 Prepare MariaDB Server 1:10.11.11-0+deb12u1 minor maintenance release for Debian stable (Bookworm)
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/106 Prepare upload to MariaDB 10.11.9 to Ubuntu 24.04 "Noble"
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/96 Prepare upload to MariaDB 10.6.19 to Ubuntu 22.04 "Jammy"
https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/20 New upstream version MariaDB 10.5.28 for Debian 11 "Bullseye"
So far we haven't encountered any regressions, so all good!
- Otto _______________________________________________ packagers mailing list -- packagers@lists.mariadb.org To unsubscribe send an email to packagers-leave@lists.mariadb.org