Package: lintian Version: 2.5.82 Severity: wishlist >From the tag description (extended in bug #889489), it's not clear to me *how* to use runuser for the requested fix and *why* using runuser actually fixes the problem described in the tag and the referenced bug reports. (The bugs referenced in the tag outline the security issue but actually give no example or advice on how to implement the advice in the tag description.)
Specifically: W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:154 W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:156 W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:158 W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:159 W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:160 W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:161 The postinst at the point in git history matching the build which generated the above output was: https://github.com/Linaro/pkg-lava-server/blob/901d4d89b174544eebcf08cbc3c78fe3f9fef4f4/debian/lava-server.postinst The problem is that the directories concerned are specific to the current installation and are created based on dates (year, month day) for archival reasons. Every day that an installation is doing useful work, a directory of test logs will be created. There are other directory trees as well, so simply replacing the find with a static list of directories is completely infeasible. Also, although I've given a link to the current postinst, patches to that postinst are not a fix for this bug - the rationale, supporting documentation and reasoning is required, as well as examples. Upstream will be creating a new packaging script (see https://projects.linaro.org/browse/LAVA-973) which will almost certainly be written in Python3 to replace the majority of the current Debian packaging postinst maintainer script. So, clear reasons and advice, without getting tied up in specific languages, on how to avoid the problem which lead to this tag is really important. Testing any changes to the permission handling in this package is going to take a *lot* of effort because tests can only be done on snapshots of busy installations which have a lot of data and the data cannot be easily generated. The current code has been tried and tested over many iterations of large installations (typically with a few Gb of data in the respective directories, so the fix needs to be at least as fast as the current code). Can a wiki page be created which goes into detail on how this issue can be fixed both in a maintainer script and in other upstream scripts which maintainers may need to package? For now, I will have to override this warning because I see no practical way to fix it. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf, arm64 Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lintian depends on: ii binutils 2.30-15 ii bzip2 1.0.6-8.1 ii diffstat 1.61-1+b1 ii dpkg 1.19.0.5 ii file 1:5.32-2 ii gettext 0.19.8.1-6 ii intltool-debian 0.35.0+20060710.4 ii libapt-pkg-perl 0.1.33 ii libarchive-zip-perl 1.60-1 ii libclass-accessor-perl 0.51-1 ii libclone-perl 0.39-1 ii libdpkg-perl 1.19.0.5 ii libemail-valid-perl 1.202-1 ii libfile-basedir-perl 0.07-1 ii libipc-run-perl 0.99-1 ii liblist-moreutils-perl 0.416-1+b3 ii libparse-debianchangelog-perl 1.2.0-12 ii libperl5.26 [libdigest-sha-perl] 5.26.1-5 ii libtext-levenshtein-perl 0.13-1 ii libtimedate-perl 2.3000-2 ii liburi-perl 1.73-1 ii libxml-simple-perl 2.25-1 ii libyaml-libyaml-perl 0.69+repack-1 ii man-db 2.8.3-2 ii patchutils 0.3.4-2 ii perl 5.26.1-5 ii t1utils 1.41-2 ii xz-utils 5.2.2-1.3 Versions of packages lintian recommends: pn libperlio-gzip-perl <none> Versions of packages lintian suggests: pn binutils-multiarch <none> ii dpkg-dev 1.19.0.5 ii libhtml-parser-perl 3.72-3+b2 ii libtext-template-perl 1.52-1 -- no debconf information