On Fri, Jul 09, 2021 at 11:32:18AM +0100, Morgan Adamiec via pacman-contrib wrote:
On 09/07/2021 11:19, Frederik “Freso” S. Olesen via pacman-contrib wrote:
they probably need to edit the .service file anyway
Why? doesn't the service just call `paccache -r` which in turns reads pacman.conf?
Yeah, you’re right. I forgot that CacheDir can take multiple directories. v2 of patch 1 changes `ProtectSystem=strict` to `ProtectSystem=full` which removes the need to specify ReadWritePaths. It can be demoted further to `ProtectSystem=yes` if people use /etc/… as one of the cache directories, or removed entirely if /usr/… or /boot/… or /efi/… are used cache paths. I guess /usr/local/… might be? /usr/local/ could be added in as a ReadWritePaths if we want to support that while still locking down /usr/ otherwise. (Patch 2/2 still applies frictionlessly on top of patch 1 v2, so I didn’t resend that.) -- Solidarity, Frederik “Freso” S. Olesen <https://freso.dk/>