-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 26 Sep 2021 17:28:50 +0100 Source: gnome-keyring Architecture: source Version: 40.0-3 Distribution: unstable Urgency: medium Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 994961 Changes: gnome-keyring (40.0-3) unstable; urgency=medium . * Team upload * Don't add CAP_IPC_LOCK capability to gnome-keyring-daemon. GNOME Keyring uses "memory locking" to prevent memory buffers from being written out to swap, in an attempt to prevent passwords and other secrets from being written to disk unencrypted. Since Linux 2.6.9 (Debian 4.0, 2007) it has been possible to lock memory up to the limit defined by RLIMIT_MEMLOCK without requiring the CAP_IPC_LOCK capability. Since GLib 2.70, security hardening in GLib means that this capability interferes with the ability to connect to the D-Bus session bus, which is required functionality for gnome-keyring. RLIMIT_MEMLOCK defaults to 64 KiB, although it is considerably higher on typical Debian systems due to #976373. If memory locking for larger quantities of secret data is required, please configure a higher RLIMIT_MEMLOCK in /etc/security/limits.conf. Using encrypted swap, with an ephemeral key if suspend-to-disk is not required, is recommended as a more robust way to prevent passwords from reaching disk. Full-disk encryption is also recommended for systems where confidentiality is important. (Closes: #994961) * Don't build with capabilities support on Linux architectures. Now that we are not setting CAP_IPC_LOCK, this is not useful, and disabling it silences some misleading warnings. gnome-keyring will still log a warning if it cannot allocate enough locked memory for its needs. * Add proposed patches to avoid unnecessary use of unlocked memory. Older versions of gnome-keyring did not always prevent larger items of secret data from being swapped out, even if they could, due to a logic error when allocating new blocks of locked memory. Checksums-Sha1: 2274c5d96ec1ab89715bcc4eb0cee0a9e5657633 2647 gnome-keyring_40.0-3.dsc da4a5829a43c97ced78c48c50b67aa01cb869899 21272 gnome-keyring_40.0-3.debian.tar.xz 5db47681f91429999c6c7c32c96a786c4a63180d 13719 gnome-keyring_40.0-3_source.buildinfo Checksums-Sha256: 2c1e453c81e1260045ebc0dbf17ff4ab5eca8fd4553dafc56bb966a227959512 2647 gnome-keyring_40.0-3.dsc fe6f78e4ccf7d7f199aca270428a429c08415cb3e9440d8b86262aed5d8d6df9 21272 gnome-keyring_40.0-3.debian.tar.xz 252bf015775b97345c7b75ace29a4f920af7c2553db6acdbab825a3ac543e598 13719 gnome-keyring_40.0-3_source.buildinfo Files: 8025cac1d972548f945b72ee373539f6 2647 gnome optional gnome-keyring_40.0-3.dsc fd4585b57a4cb2371398f7390f119ea4 21272 gnome optional gnome-keyring_40.0-3.debian.tar.xz b7c8686aa68810c6a88c2e527af91bd4 13719 gnome optional gnome-keyring_40.0-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmFQo9MACgkQ4FrhR4+B TE+lNw/7B1vW9kh6Pe+QncRLrz4xrSKy6kX0xmEbjCb9IJFWIhmJNP0qLfXDTAZd lemYXQeK13yjNpYTsdzauEAc2th0LQ2eIlSmxYng3lcQmq5xKKFUSEF1Sf/ti/0p Fd/ZCuwMrzhuzar6GLVbfPeC67zv88xRunNWOR84hLE5H3oVpvSi9dgIZtbs5IIQ ScTunzcj8lZ60+NNCKErg+xikxTbJrwXeMVUYj+kqyMz6fGaJ1yFdkNNwJhwZSmQ VDaNNDcgqiDps/jw+zMOhSxrUy8hnGI0RqCoBn3awDbJPXUhLguGU91QdHF68WRF tnGF2D6yb5SrbSDXl47HO1GsNw4XT/OZvcIduW864biXfX9XbxTZ60r+ngC3l5Y0 svwozbaYb0EbPfpeQxkrfAiH9zHrxRZUpPDQIc5DmTB1CrdzXhoc+EiO1djCU226 EeI5F7tXTs4FIUAnxFgc/+XtcKqCp/Vrd8/n7SkUqq8sLgRPnnMh2KHCYJonWOTO acGW5qPuBxylMTeF4UmswJouvYCp+9YhHZmp6+ZTd0z/9GnbHS801DWszC3ySXtq qYaR6tZK4LpUFgCaQLYGiG93gPz5v/xsdxCF0ChmP7dsqJK48Xm/xa+5bcONjKmx jVhqOZ9uJw7aHjY+0qfoLsKJGlcDZ9yfulu+aQh++a8QFnpmRNI= =UH76 -----END PGP SIGNATURE-----