Package: lintian
Version: 2.5.82
Severity: wishlist

>From the tag description (extended in bug #889489), it's not clear to me
*how* to use runuser for the requested fix and *why* using runuser
actually fixes the problem described in the tag and the referenced
bug reports. (The bugs referenced in the tag outline the security
issue but actually give no example or advice on how to implement the
advice in the tag description.)

W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod 
W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod 
W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod 
W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod 
W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod 
W: lava-server: maintainer-script-should-not-use-recursive-chown-or-chmod 

The postinst at the point in git history matching the build which generated
the above output was:

The problem is that the directories concerned are specific
to the current installation and are created based on dates (year,
month day) for archival reasons. Every day that an installation is
doing useful work, a directory of test logs will be created.

There are other directory trees as well, so simply replacing the
find with a static list of directories is completely infeasible.

Also, although I've given a link to the current postinst, patches
to that postinst are not a fix for this bug - the rationale, supporting
documentation and reasoning is required, as well as examples.

Upstream will be creating a new packaging script (see which will almost
certainly be written in Python3 to replace the majority of the
current Debian packaging postinst maintainer script. So, clear
reasons and advice, without getting tied up in specific languages,
on how to avoid the problem which lead to this tag is really important.

Testing any changes to the permission handling in this package
is going to take a *lot* of effort because tests can only be done
on snapshots of busy installations which have a lot of data and
the data cannot be easily generated. The current code has been tried
and tested over many iterations of large installations (typically
with a few Gb of data in the respective directories, so the fix
needs to be at least as fast as the current code).

Can a wiki page be created which goes into detail on how this
issue can be fixed both in a maintainer script and in other
upstream scripts which maintainers may need to package?

For now, I will have to override this warning because I see no
practical way to fix it.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf, arm64

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en 
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian depends on:
ii  binutils                          2.30-15
ii  bzip2                             1.0.6-8.1
ii  diffstat                          1.61-1+b1
ii  dpkg                    
ii  file                              1:5.32-2
ii  gettext                 
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.33
ii  libarchive-zip-perl               1.60-1
ii  libclass-accessor-perl            0.51-1
ii  libclone-perl                     0.39-1
ii  libdpkg-perl            
ii  libemail-valid-perl               1.202-1
ii  libfile-basedir-perl              0.07-1
ii  libipc-run-perl                   0.99-1
ii  liblist-moreutils-perl            0.416-1+b3
ii  libparse-debianchangelog-perl     1.2.0-12
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-5
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.73-1
ii  libxml-simple-perl                2.25-1
ii  libyaml-libyaml-perl              0.69+repack-1
ii  man-db                            2.8.3-2
ii  patchutils                        0.3.4-2
ii  perl                              5.26.1-5
ii  t1utils                           1.41-2
ii  xz-utils                          5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  <none>

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev     
ii  libhtml-parser-perl    3.72-3+b2
ii  libtext-template-perl  1.52-1

-- no debconf information

Reply via email to