Patrick because you are well known in the TAILS community and so its likely they’ll listen, is it ok if you post to them my idea about scanning ucspi-tcp with Valgrind to check it doesn’t have memory safety issues? If anyone of them is familiar with C they may be able to patch it if problems arise. For static analysis of the code they can run it free through Coverity Scan or use PeachFuzzer.
https://scan.coverity.com/users/sign_up
I saw your comment on the Apparmor wishlist for a profile for this component, so we are ok in that front containment front, but its better not to have exploitable holes in the first place.
This may see unreasonable, but considering what we are potenitally up against, these measures are needed to cut it.