[ANNOUNCE] dbus-broker v30
7 views
Skip to first unread message
David Rheinsberg
May 10, 2022, 7:07:00 AM5/10/22
to bus1-devel
Hi
We just tagged v30 of dbus-broker. This release comes with a lot of
bug-fixes and several security-fixes. Additionally, the dependency
management has been updated to use proper meson wrap-files and
simplify how we pull in the subproject code. We continue to release
tarballs with every new version, including all subproject code,
suitable for offline builds.
There have been several fixes to how dbus-broker-launch parses the XML
configuration file, including possible security vulnerabilities. If
you auto-generate parts of the configuration or service files from
untrusted sources, you are highly recommended to upgrade. We are not
aware of any distribution doing this, but we still recommend everyone
to upgrade.
Apart from those fixes, there have been improvements to the way the
launcher activates services and reports errors about service
activation failures.
Thanks to everyone contributing to this release!
https://github.com/bus1/dbus-broker/releases/tag/v30
## CHANGES WITH 30:
* Pull in subprojects via meson wraps. Subprojects are no longer
included via git submodules, but instead pulled in at build-time via
meson. All subprojects are converted to follow semver-style
versioning, and dbus-broker pulls them in via a versioned dependency.
All subprojects are still statically linked and considered part of
dbus-broker. Any critical update to any subproject will cause a new
release of dbus-broker, as it always did. Distributions are not
required to monitor the subprojects manually.
The official release-tarballs of dbus-broker include up-to-date
subproject sources and can be used for offline builds. Distributions
are free to use newer subproject sources for their rebuilds, and this
is explicitly supported.
Please refer to the meson documentation for details on how to manage
subprojects. You can still pull in other versions of the dependencies
by putting the sources into ./subprojects/. This change merely makes
meson pull in the newest sources via a meson-wrap-file, if, and only
if, no other sources have been provided.
This change requires `meson-0.60` or newer.
* Systemd units with failed `Condition*=` directives are now correctly
considered failed, even if they report success.
* Failed service activations now report more detailed information on
the activation failure back through the activating client. The exact
error information is now transmitted back from the launcher to the
broker and then included in the dbus error message to the client.
* Order the broker unit explicitly after `dbus.socket` to enforce the
dependency even if the broker is disable temporarily. When the unit
is enabled, this dependency is implicit due to the used alias to
`dbus.service`.
* The broker now runs in `session.slice` if applicable. The broker is
thus considered more vital to the session and thus is less likely to
be collected on resource exhaustion.
* The `GetStats()` call on `org.freedeskop.DBus.Debug` now properly
returns reply-owner statistics. Before, those were always set to 0.
* Fix incorrect resource accounting of connecting peers. Before, only
the data a peer actually transmitted/received was accounted, but the
management object of the peer itself was not. This is now fixed to
properly account all resources a peer uses.
* Fix NULL-derefs in the XML configuration parser. Empty XML tags could
have caused NULL-derefs before. This is now fixed.
* Fix a buffer-overflow in shell-quote parsing, used by the `Exec=`
line in activation service files.
* Fix the launcher to obtain service-paths from systemd directly rather
than building them manually. This will correctly resolve unit aliases
and other quirks of systemd units.
Contributions from: David Rheinsberg, Hugo Osvaldo Barrera, Luca
Boccassi, Zbigniew Jędrzejewski-Szmek, msizanoen1
- Dußlingen, 2022-05-10
We just tagged v30 of dbus-broker. This release comes with a lot of
bug-fixes and several security-fixes. Additionally, the dependency
management has been updated to use proper meson wrap-files and
simplify how we pull in the subproject code. We continue to release
tarballs with every new version, including all subproject code,
suitable for offline builds.
There have been several fixes to how dbus-broker-launch parses the XML
configuration file, including possible security vulnerabilities. If
you auto-generate parts of the configuration or service files from
untrusted sources, you are highly recommended to upgrade. We are not
aware of any distribution doing this, but we still recommend everyone
to upgrade.
Apart from those fixes, there have been improvements to the way the
launcher activates services and reports errors about service
activation failures.
Thanks to everyone contributing to this release!
https://github.com/bus1/dbus-broker/releases/tag/v30
## CHANGES WITH 30:
* Pull in subprojects via meson wraps. Subprojects are no longer
included via git submodules, but instead pulled in at build-time via
meson. All subprojects are converted to follow semver-style
versioning, and dbus-broker pulls them in via a versioned dependency.
All subprojects are still statically linked and considered part of
dbus-broker. Any critical update to any subproject will cause a new
release of dbus-broker, as it always did. Distributions are not
required to monitor the subprojects manually.
The official release-tarballs of dbus-broker include up-to-date
subproject sources and can be used for offline builds. Distributions
are free to use newer subproject sources for their rebuilds, and this
is explicitly supported.
Please refer to the meson documentation for details on how to manage
subprojects. You can still pull in other versions of the dependencies
by putting the sources into ./subprojects/. This change merely makes
meson pull in the newest sources via a meson-wrap-file, if, and only
if, no other sources have been provided.
This change requires `meson-0.60` or newer.
* Systemd units with failed `Condition*=` directives are now correctly
considered failed, even if they report success.
* Failed service activations now report more detailed information on
the activation failure back through the activating client. The exact
error information is now transmitted back from the launcher to the
broker and then included in the dbus error message to the client.
* Order the broker unit explicitly after `dbus.socket` to enforce the
dependency even if the broker is disable temporarily. When the unit
is enabled, this dependency is implicit due to the used alias to
`dbus.service`.
* The broker now runs in `session.slice` if applicable. The broker is
thus considered more vital to the session and thus is less likely to
be collected on resource exhaustion.
* The `GetStats()` call on `org.freedeskop.DBus.Debug` now properly
returns reply-owner statistics. Before, those were always set to 0.
* Fix incorrect resource accounting of connecting peers. Before, only
the data a peer actually transmitted/received was accounted, but the
management object of the peer itself was not. This is now fixed to
properly account all resources a peer uses.
* Fix NULL-derefs in the XML configuration parser. Empty XML tags could
have caused NULL-derefs before. This is now fixed.
* Fix a buffer-overflow in shell-quote parsing, used by the `Exec=`
line in activation service files.
* Fix the launcher to obtain service-paths from systemd directly rather
than building them manually. This will correctly resolve unit aliases
and other quirks of systemd units.
Contributions from: David Rheinsberg, Hugo Osvaldo Barrera, Luca
Boccassi, Zbigniew Jędrzejewski-Szmek, msizanoen1
- Dußlingen, 2022-05-10
David Rheinsberg
May 11, 2022, 2:52:51 AM5/11/22
to bus1-devel
On Tue, 10 May 2022 at 13:06, David Rheinsberg
<david.rh...@gmail.com> wrote:
[...]
It is fixed upstream [2] and I recommend picking up this patch on top
of v30. I will release v31 in a week, waiting for possibly more fixes.
David
[1] https://github.com/bus1/dbus-broker/issues/288
[2] https://github.com/bus1/dbus-broker/commit/608b259e25ef1348b9e4a8e022c35b5c68d3df98
<david.rh...@gmail.com> wrote:
[...]
> Thanks to everyone contributing to this release!
>
> https://github.com/bus1/dbus-broker/releases/tag/v30
>
> ## CHANGES WITH 30:
[...]
>
> https://github.com/bus1/dbus-broker/releases/tag/v30
>
> ## CHANGES WITH 30:
> * Fix incorrect resource accounting of connecting peers. Before, only
> the data a peer actually transmitted/received was accounted, but the
> management object of the peer itself was not. This is now fixed to
> properly account all resources a peer uses.
As it turns out, this uncovered a bug in our user-accounting code [1].
> the data a peer actually transmitted/received was accounted, but the
> management object of the peer itself was not. This is now fixed to
> properly account all resources a peer uses.
It is fixed upstream [2] and I recommend picking up this patch on top
of v30. I will release v31 in a week, waiting for possibly more fixes.
David
[1] https://github.com/bus1/dbus-broker/issues/288
[2] https://github.com/bus1/dbus-broker/commit/608b259e25ef1348b9e4a8e022c35b5c68d3df98
Reply all
Reply to author
Forward
0 new messages