github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3261] Question: Whats the best way to update? #2045

New issue

Closed

opened 2026-05-05 08:43:02 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 08:43:02 -06:00

Owner

Originally created by @svc88 on GitHub (Mar 2, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3261

I want to stay up to date with the constant additions and edits of all profiles, however i am wondering what the downside is in cloning and building the latest on Github on a weekly basis?

Is cloning better than using the official releases?
What is a safe frequency in cloning the repo? once a week?

Originally created by @svc88 on GitHub (Mar 2, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3261 I want to stay up to date with the constant additions and edits of all profiles, however i am wondering what the downside is in cloning and building the latest on Github on a weekly basis? Is cloning better than using the official releases? What is a safe frequency in cloning the repo? once a week?

gitea-mirror

2026-05-05 08:43:02 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:43:06 -06:00

Author

Owner

@matu3ba commented on GitHub (Mar 2, 2020):

Occasionally compiling/running breaks on development(2-3 times a year).
Sometimes due to software updates needing new/changed rules.

If you want a stable running system, go for stable/LTS releases of your distribution.
If you want bleeding edge software, use the latest master.
If you have a mix of both, you have to decide.

Safe for doing what?

@matu3ba commented on GitHub (Mar 2, 2020): Occasionally compiling/running breaks on development(2-3 times a year). Sometimes due to software updates needing new/changed rules. If you want a stable running system, go for stable/LTS releases of your distribution. If you want bleeding edge software, use the latest master. If you have a mix of both, you have to decide. Safe for doing what?

gitea-mirror commented

2026-05-05 08:43:06 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 2, 2020):

i am wondering what the downside is in cloning and building the latest on Github on a weekly basis?

broken build (see @matu3ba post)
commits breaking firejail temporary (just checkout the lastet working commit, rebuild, report, wait)
commits breaking profiles on some systems

Pros:

latet firejail features
new profiles
profile fixes from master

Is cloning better than using the official releases?

If you want just a running firejail to sandbox a release is better. If you want to contribute (code, profile, testing) the git version is better.

Using firejail-release with git-profile:
works short after a release but allmost every firejail-release has some changes in firejail (the binary) against profiles.

Examples:
0.9.62:

allow-debuggers in profiles. No workaround
several seccomp enhancements: need to write an script that replace seccomp with seccomp.drop using the new groups + exceptions.
whitelisting /usr/share: just profiles.
new conditions: HAS_X11, HAS_NET: no workaround
0.9.60:
mdwe blocks memfd_create: script that adds seccomp.drop memfd_create to all profile with mdwe
private-cwd: no workaround
nodbus blocks systembus: ?HAS_NODBUS: blacklist /run/dbus

@rusty-snake commented on GitHub (Mar 2, 2020): > i am wondering what the downside is in cloning and building the latest on Github on a weekly basis? - broken build (see @matu3ba post) - commits breaking firejail temporary (just checkout the lastet working commit, rebuild, report, wait) - commits breaking profiles on some systems Pros: - latet firejail features - new profiles - profile fixes from master > Is cloning better than using the official releases? If you want just a running firejail to sandbox a release is better. If you want to contribute (code, profile, testing) the git version is better. Using firejail-release with git-profile: works short after a release but allmost every firejail-release has some changes in firejail (the binary) against profiles. Examples: 0.9.62: - allow-debuggers in profiles. No workaround - several seccomp enhancements: need to write an script that replace `seccomp` with `seccomp.drop` using the new groups + exceptions. - whitelisting /usr/share: just profiles. - new conditions: HAS_X11, HAS_NET: no workaround 0.9.60: - mdwe blocks memfd_create: script that adds `seccomp.drop memfd_create` to all profile with mdwe - private-cwd: no workaround - nodbus blocks systembus: `?HAS_NODBUS: blacklist /run/dbus`

gitea-mirror commented

2026-05-05 08:43:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 1, 2020):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Apr 1, 2020): I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:15:11 -06:00

[PR #2130] [MERGED] FIX-2045: Fix command name parsing for program paths with spaces. #4178

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2045

No description provided.

Rows
Columns