Control: tags -1 + patch Hi Alexander
On Sat, Sep 22, 2012 at 10:13:06AM +0200, Andreas Beckmann wrote: > Package: ferm > Version: 2.1-2 > Severity: serious > Tags: squeeze-ignore > User: [email protected] > Usertags: piuparts > Control: found -1 2.0.7-1 > > Hi, > > during a test with piuparts I noticed your package modifies conffiles. > This is forbidden by the policy, see > http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files > > 10.7.3: "[...] The easy way to achieve this behavior is to make the > configuration file a conffile. [...] This implies that the default > version will be part of the package distribution, and must not be > modified by the maintainer scripts during installation (or at any > other time)." > > Note that once a package ships a modified version of that conffile, > dpkg will prompt the user for an action how to handle the upgrade of > this modified conffile (that was not modified by the user). > > Further in 10.7.3: "[...] must not ask unnecessary questions > (particularly during upgrades) [...]" > > If a configuration file is customized by a maintainer script after > having asked some debconf questions, it may not be marked as a > conffile. Instead a template could be installed in /usr/share and used > by the postinst script to fill in the custom values and create (or > update) the configuration file (preserving any user modifications!). > This file must be removed during postrm purge. > ucf(1) may help with these tasks. > See also http://wiki.debian.org/DpkgConffileHandling > > In https://lists.debian.org/debian-devel/2012/09/msg00412.html and > followups it has been agreed that these bugs are to be filed with > severity serious. > > debsums reports modification of the following files, > from the attached log (scroll to the bottom...): > > /etc/default/ferm Attached is a tentative patch to solve this issue. Hope it can help! (I have not taken any NMU upload action, only attaching the patch here). Regards, Salvatore
reverted: --- ferm-2.1/debian/ferm.default +++ ferm-2.1.orig/debian/ferm.default @@ -1,10 +0,0 @@ -# configuration for /etc/init.d/ferm - -# use iptables-restore for fast firewall initialization? -FAST=yes - -# cache the output of ferm --lines in /var/cache/ferm? -CACHE=yes - -# additional paramaters for ferm (like --def '$foo=bar') -OPTIONS= diff -u ferm-2.1/debian/changelog ferm-2.1/debian/changelog --- ferm-2.1/debian/changelog +++ ferm-2.1/debian/changelog @@ -1,3 +1,20 @@ +ferm (2.1-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix "ferm: modifies conffiles (policy 10.7.3): /etc/default/ferm" + (Closes: #688377) + - Don't install ferm.default as conffile in /etc/default + - Read /etc/default/ferm in ferm.config. + If /etc/default/ferm exists and ENABLED= is present then store the + value of ENABLED into debconf db. + - Create /etc/default/ferm in postinst. + Create /etc/default/ferm if it does not yet exists in postinst. + Furthermore if the admin deleted or commented the ENABLED then (re-)add + it to the configuration file in postinst. + - Remove configuration file on purge in postrm script + + -- Salvatore Bonaccorso <[email protected]> Fri, 12 Oct 2012 20:53:58 +0200 + ferm (2.1-2) unstable; urgency=low [ great debian l10n teams ] diff -u ferm-2.1/debian/ferm.postinst ferm-2.1/debian/ferm.postinst --- ferm-2.1/debian/ferm.postinst +++ ferm-2.1/debian/ferm.postinst @@ -4,27 +4,44 @@ action=$1 version=$2 +# generate default file if it doesn't exist +if [ ! -e /etc/default/ferm ]; then + cat > /etc/default/ferm <<-END + # configuration for /etc/init.d/ferm + + # use iptables-restore for fast firewall initialization? + FAST=yes + + # cache the output of ferm --lines in /var/cache/ferm? + CACHE=yes + + # additional paramaters for ferm (like --def '$foo=bar') + OPTIONS= + + # Enable the ferm init script? (i.e. run on bootup) + END +fi + if [ "$action" = configure ]; then . /usr/share/debconf/confmodule db_version 2.0 - if ! test -f /etc/default/ferm || ! grep -q ^ENABLED= /etc/default/ferm; then - # copy the enabled flag from debconf to /etc/default/ferm - - db_get ferm/enable - if [ "$RET" = "false" ]; then - VALUE="no" - else - VALUE="yes" - fi - - { - echo - echo "# Enable the ferm init script? (i.e. run on bootup)" - echo "ENABLED=$VALUE" - } >> /etc/default/ferm + # get values from debconf db + db_get ferm/enable + if [ "$RET" = "false" ]; then + VALUE="no" + else + VALUE="yes" fi + # If the admin deleted or commented some variables but then set + # them via debconf, (re-)add them to the configuration file + grep -Eq '^ *ENABLED=' /etc/default/ferm || \ + echo "ENABLED=" >> /etc/default/ferm + + # substitute value + sed -i "s/^ENABLED=.*$/ENABLED=\"$VALUE\"/" /etc/default/ferm + # make the firewall configuration readable only by root and group adm if [ -d /etc/ferm ]; then chown -R root:adm /etc/ferm diff -u ferm-2.1/debian/ferm.postrm ferm-2.1/debian/ferm.postrm --- ferm-2.1/debian/ferm.postrm +++ ferm-2.1/debian/ferm.postrm @@ -5,2 +5,6 @@ +if [ "$1" = "purge" ]; then + rm -f /etc/default/ferm +fi + #DEBHELPER# diff -u ferm-2.1/debian/ferm.config ferm-2.1/debian/ferm.config --- ferm-2.1/debian/ferm.config +++ ferm-2.1/debian/ferm.config @@ -12,0 +13,9 @@ + +# load configuration file if it exists and read +# value of ENABLED into Debconf database +if test -e /etc/default/ferm && grep -q '^ENABLED=' /etc/default/ferm; then + . /etc/default/ferm || true + + # Store values from config file into debconf db. + db_set ferm/enable "$ENABLED" +fi
signature.asc
Description: Digital signature
