Comment 7 for bug 1789551

Hi Seth,
thanks for your thoughts!

Splitting my answers per Release:

== Cosmic ==

For cosmic it needs no FFe IMHO, for already having the Blacklist variant and using it for quite a while. We only extend it to the threads that were missing - in that scope it is only a bug fix.
- There the fix is ready and now also tested in various combinations

stage0-prep-cosmic-CVE-seccomp-run1-x86_64.status : Pass 4 Failed 0 Skip 0 + 0 - RC 0 in 12 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-x86_64.status : Pass 276 Failed 0 Skip 0 + 0 - RC 0 in 62 minutes
stage2-cross-cosmic-CVE-seccomp-run1-x86_64.status : Pass 22 Failed 0 Skip 0 + 1 - RC 0 in 28 minutes
stage3-misc-cosmic-CVE-seccomp-run1-x86_64.status : Pass 103 Failed 0 Skip 0 + 0 - RC 0 in 29 minutes

stage0-prep-cosmic-CVE-seccomp-run1-s390x.status : Pass 3 Failed 0 Skip 0 + 0 - RC 0 in 44 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-s390x.status : Pass 249 Failed 2 Skip 5 + 0 - RC 2 in 531 minutes
stage2-cross-cosmic-CVE-seccomp-run1-s390x.status : Pass 12 Failed 0 Skip 0 + 0 - RC 0 in 178 minutes
stage3-misc-cosmic-CVE-seccomp-run1-s390x.status : Pass 67 Failed 0 Skip 0 + 0 - RC 0 in 95 minutes

stage0-prep-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 2 Failed 0 Skip 0 + 0 - RC 0 in 47 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 276 Failed 0 Skip 0 + 0 - RC 0 in 101 minutes
stage2-cross-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 4 Failed 0 Skip 0 + 0 - RC 0 in 8 minutes
stage3-misc-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 48 Failed 0 Skip 1 + 0 - RC 0 in 20 minutes

The only two fails we see have existed before.
Given all that looks good and we were using it already I'll push that for Cosmic.

== Bionic ==
Bionic is different as I outlined and you also emphasized further.

First of all I'd NOT want to turn on blacklist filtering by default at all there.

But OTOH being not used by default means the only few that use it are those that want to rely on its function. So they would most likely want the fix to be in?

Bionic at least using the blacklist approach already makes this safer than in older relases.
So for Bionic I'd agree to the "prep something and cajole people that are using it already for testing of their cases".
I'll make a PPA ready for that.

The fact that not all kernels log seccomp denials is what makes me feel unsure. That would really be hard to debug.

If we want to go on further than this PPA and actually push something into Bionic depends on
a) positive test feedback
b) feedback at all that the feature is used
c) your security severity estimation if that is needed is high enough

If not a+b+c then I'd keep Bionic untouched.
Would you be able to "cajole the people" once I have a PPA to try?

== Xenial/Trusty ==
Still using the whitelist approach plus risk due to the obvious backport noise and older kernels behaving different makes this too much of a risk IMHO.
So I'd rate these Won't Fix unless your severity estimation implies it is needed.
Again there the feature won't be used by default, and being rather new at the time it might not be used anywhere.
I'll update the bug task status - please feel free to override if your rating forces us to deliver something there.