In the systemd unit file of bluez-5.64, there is:
ProtectSystem=full
ReadWritePaths=/var/lib/bluetooth
The combination of these two options make systemd to bind mount /
recursively and read-only to /run/systemd/unit-root in a new mount
namespace, then bind mount /var/lib/bluetooth to
/run/systemd/unit-root/var/lib/bluetooth, then run bluez in the chroot
at /run/systemd/unit-root in the separate namespace.
This helps to reduce the potential damage if a bluez security
vulnerability is exposed. But, if /var/lib/bluetooth does not exist,
systemd will fail to bind mount it and complain:
bluetooth.service: bluetooth.service: Failed to set up mount
namespacing: /run/systemd/unit-root/var/lib/bluetooth: No such
file or directory
As a simple workaround, just create this directory at installation. A
more elegant solution will be shipped in bluez-5.65:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0905a06
Q: Why -m700?
A: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=edc69d2
Update to gjs-1.72.1
Update to tracker3-3.3.2
Update to gnome-bluetooth-42.2
Update to epiphany-42.3
Update to libadwaita-1.1.3
Update to libhandy-1.6.3
Update to gnome-desktop-42.3
Update to xcmsdb-1.0.6 (Xorg App)
Update to xmodmap-1.0.11 (Xorg App)
Update to xpr-1.1.0 (Xorg App)
Update to xwud-1.0.6 (Xorg App)
Update to xev-1.2.5 (Xorg App)
Update to xkbutils-1.0.5 (Xorg App)
Update to xrefresh-1.0.7 (Xorg App)
Update to xmessage-1.0.6 (Xorg App)
Update to URI-5.12 (Perl Module)
Update to xf86-input-synaptics-1.9.2 (Xorg Driver)
Update to hdparm-9.64
Update to wayland-protocols-1.26
Update to libdrm-2.4.112
Update to node.js-16.16.0
Update to php-8.1.8
Add security patch for Dovecot (fixes CVE-2022-30550)
Update to seamonkey-2.53.13
Update to gnupg-2.3.7
Mark git as a security update
since we're not setting them elsewhere in the page anymore.
Note that the command explanation is still there for setting it if you
want to use GCC/G++, making this identical to Firefox currently.
Since ffmpeg5 no longer carries libavresample, we can't build transcode without
disabling ffmpeg support.. With some rudimentary testing, it seems that this
doesn't have any negative impact.
Add "| cut -f 1" to efibootmgr command for checking the configuration,
so long boring paths will not show up.
Update unifont version, and kernel version (in example) by the way.
