https://bugs.winehq.org/show_bug.cgi?id=48889
--- Comment #14 from Luca Boccassi luca.boccassi@gmail.com --- (In reply to oiaohm from comment #10)
For some users, like yourself, adding net_raw might be a step too far - then you are of course free not to enable it. I'm fine with having it off by default, that's not a concern really. It can even be a low priority debconf option, so nobody will see it unless they go look for it. Other users for whom the distinction is perfectly meaningless can instead choose to enable it and have working applications.
Really this is your ignoring the problem.
Thanks for the (unsolicited) curriculum, but I'm afraid the only actual, real problem being ignored is that users are silently running a configuration that is unsafe, and that causes them to get their accounts banned, incurring in very real tangible and even monetary losses. So, in reality, the only software acting as malware on my machine right now is wine itself. Fortunately someone already documented this broken behaviour in the applications DB pages, to help limit the damage. Unfortunately the workarounds are not "sticky" due to the nature of packages and file-based capabilities - which means at best users could be pinning the versions and avoiding updates, at worst the malware-like behaviour gets reintroduced without notice. Trying to be a good citizen, I thought of sharing a more durable workaround that doesn't require pinning, is a one-time configuration and is still under the developers control.
Of course you are absolutely free to hold off and instead spend another 13 years (the original bug, linked earlier, was opened in 2007) looking for a perfect solution to all hypothetical problems - I wish you the of best luck in your endeavours.
In the meantime, I'll share another solution which, unlike the packaging changes, is 100% under the control of users, while still being a one-time change:
$ cat /etc/dpkg/dpkg.cfg.d/wine-setcap post-invoke=if { test "$DPKG_HOOK_ACTION" = configure; } && test -f /opt/wine-staging/bin/wine-preloader && ! /sbin/getcap /opt/wine-staging/bin/wine-preloader | grep -qs "cap_net_raw"; then /sbin/setcap "cap_net_raw=epi" /opt/wine-staging/bin/wine-preloader; fi post-invoke=if { test "$DPKG_HOOK_ACTION" = configure; } && test -f /opt/wine-staging/bin/wine64-preloader && ! /sbin/getcap /opt/wine-staging/bin/wine64-preloader | grep -qs "cap_net_raw"; then /sbin/setcap "cap_net_raw=epi" /opt/wine-staging/bin/wine64-preloader; fi post-invoke=if { test "$DPKG_HOOK_ACTION" = configure; } && test -f /opt/wine-staging/bin/wineserver && ! /sbin/getcap /opt/wine-staging/bin/wineserver | grep -qs "cap_net_raw"; then /sbin/setcap "cap_net_raw=epi" /opt/wine-staging/bin/wineserver; fi
Unfortunately dpkg hooks are rather blunt tools - they run on every single action for every single package, which is truly icky. But it still beats losing accounts and money.