Accepted gnome-keyring 40.0-3 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 26 Sep 2021 17:28:50 +0100
Source: gnome-keyring
Architecture: source
Version: 40.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 994961
Changes:
gnome-keyring (40.0-3) unstable; urgency=medium
.
* Team upload
* Don't add CAP_IPC_LOCK capability to gnome-keyring-daemon.
GNOME Keyring uses "memory locking" to prevent memory buffers from being
written out to swap, in an attempt to prevent passwords and other secrets
from being written to disk unencrypted. Since Linux 2.6.9 (Debian 4.0,
2007) it has been possible to lock memory up to the limit defined by
RLIMIT_MEMLOCK without requiring the CAP_IPC_LOCK capability.
Since GLib 2.70, security hardening in GLib means that this capability
interferes with the ability to connect to the D-Bus session bus, which
is required functionality for gnome-keyring.
RLIMIT_MEMLOCK defaults to 64 KiB, although it is considerably higher on
typical Debian systems due to #976373. If memory locking for larger
quantities of secret data is required, please configure a higher
RLIMIT_MEMLOCK in /etc/security/limits.conf.
Using encrypted swap, with an ephemeral key if suspend-to-disk is not
required, is recommended as a more robust way to prevent passwords
from reaching disk. Full-disk encryption is also recommended for
systems where confidentiality is important.
(Closes: #994961)
* Don't build with capabilities support on Linux architectures.
Now that we are not setting CAP_IPC_LOCK, this is not useful, and
disabling it silences some misleading warnings. gnome-keyring will still
log a warning if it cannot allocate enough locked memory for its needs.
* Add proposed patches to avoid unnecessary use of unlocked memory.
Older versions of gnome-keyring did not always prevent larger items of
secret data from being swapped out, even if they could, due to a logic
error when allocating new blocks of locked memory.
Checksums-Sha1:
2274c5d96ec1ab89715bcc4eb0cee0a9e5657633 2647 gnome-keyring_40.0-3.dsc
da4a5829a43c97ced78c48c50b67aa01cb869899 21272 gnome-keyring_40.0-3.debian.tar.xz
5db47681f91429999c6c7c32c96a786c4a63180d 13719 gnome-keyring_40.0-3_source.buildinfo
Checksums-Sha256:
2c1e453c81e1260045ebc0dbf17ff4ab5eca8fd4553dafc56bb966a227959512 2647 gnome-keyring_40.0-3.dsc
fe6f78e4ccf7d7f199aca270428a429c08415cb3e9440d8b86262aed5d8d6df9 21272 gnome-keyring_40.0-3.debian.tar.xz
252bf015775b97345c7b75ace29a4f920af7c2553db6acdbab825a3ac543e598 13719 gnome-keyring_40.0-3_source.buildinfo
Files:
8025cac1d972548f945b72ee373539f6 2647 gnome optional gnome-keyring_40.0-3.dsc
fd4585b57a4cb2371398f7390f119ea4 21272 gnome optional gnome-keyring_40.0-3.debian.tar.xz
b7c8686aa68810c6a88c2e527af91bd4 13719 gnome optional gnome-keyring_40.0-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmFQo9MACgkQ4FrhR4+B
TE+lNw/7B1vW9kh6Pe+QncRLrz4xrSKy6kX0xmEbjCb9IJFWIhmJNP0qLfXDTAZd
lemYXQeK13yjNpYTsdzauEAc2th0LQ2eIlSmxYng3lcQmq5xKKFUSEF1Sf/ti/0p
Fd/ZCuwMrzhuzar6GLVbfPeC67zv88xRunNWOR84hLE5H3oVpvSi9dgIZtbs5IIQ
ScTunzcj8lZ60+NNCKErg+xikxTbJrwXeMVUYj+kqyMz6fGaJ1yFdkNNwJhwZSmQ
VDaNNDcgqiDps/jw+zMOhSxrUy8hnGI0RqCoBn3awDbJPXUhLguGU91QdHF68WRF
tnGF2D6yb5SrbSDXl47HO1GsNw4XT/OZvcIduW864biXfX9XbxTZ60r+ngC3l5Y0
svwozbaYb0EbPfpeQxkrfAiH9zHrxRZUpPDQIc5DmTB1CrdzXhoc+EiO1djCU226
EeI5F7tXTs4FIUAnxFgc/+XtcKqCp/Vrd8/n7SkUqq8sLgRPnnMh2KHCYJonWOTO
acGW5qPuBxylMTeF4UmswJouvYCp+9YhHZmp6+ZTd0z/9GnbHS801DWszC3ySXtq
qYaR6tZK4LpUFgCaQLYGiG93gPz5v/xsdxCF0ChmP7dsqJK48Xm/xa+5bcONjKmx
jVhqOZ9uJw7aHjY+0qfoLsKJGlcDZ9yfulu+aQh++a8QFnpmRNI=
=UH76
-----END PGP SIGNATURE-----