Package: xymon-client Version: 4.3.28-2 Severity: important Tag: moreinfo Control: found -1 4.3.28-2+deb9u1 Control: found -1 4.3.28-5+deb10u1 Control: found -1 4.3.30-1
With the recent security updates, but also in Debian Unstable I noticed that some installations did no more report to the correct server or the same list of servers anymore. All those had one or more older server IPs in the debconf database and a different set in /etc/default/xymon-client, either manually edited or via config management like ansible. xymon-client.postinst edits two variables in /etc/default/xymon-client unconditionally and always sets the IP address(es) stored in the debconf database. It though only occurred to me often enough to see the pattern in the past months — and it's unclear to me why not earlier. Because the xymon-client.postinst script hasn't been touched since 2015. And the last changes to the debconf part were in 2014 when the question about automatic migration had been added. And the most recent bigger change was in 2012. There's a though chance that I ran into it more often, because I toyed around with reporting to multiple Xymon servers as well as with Xymon reporting over SSL and IPv6 via stunnel and probably edited /etc/default/xymon-client manually rather often than using "dpkg-reconfigure -plow xymon-client" for it (which is the way to workaround this issue permanently — until the next manual edit of the file ;-). So it overwrites the configure file with local changes by the local admin with a value set by the local admin (earlier). So both are local configurations with two differents systems/styles/methods. They'rejust not kept in sync and any diversion is not reported or cared about. I just reread https://www.debian.org/doc/debian-policy/ch-files.html#behavior (§10.7.3) — but actually both, "must not overwrite or otherwise mangle the user’s configuration without asking" and "must not ask unnecessary questions (particularly during upgrades)" applies and seems to contradict here (a bit at least). I though tend to have the opinion that the current state is not good, especially annoying and potentially a policy violation (§10.7.3) — although it's mostly two local config sources not being in sync, but both are local changes from the local admin. The admin is though likely not aware of it. Potential solutions: * ucf — Potentially complex and error-prone. The function create_sshdconfig() from /var/lib/dpkg/info/openssh-server.postinst could be used as a pattern for a solution based on ucf. * Adding a hint to the file that the values of two variables in the file are maintained via debconf and might be overwritten upon package (security) upgrades if their values are edited manually. (Probably doesn't help much if a configuration management ala Ansible is used.) Suggestions, comments and opinions on this issue are welcome — and actually wanted, hence the moreinfo tag. :-) -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable'), (400, 'proposed-updates-debug'), (400, 'proposed-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages xymon-client depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 ii libc6 2.28-10 ii libssl1.1 1.1.1c-1 ii lsb-base 10.2019051400 ii net-tools 1.60+git20180626.aebd88e-1 ii procps 2:3.3.15-2 xymon-client recommends no packages. Versions of packages xymon-client suggests: ii hobbit-plugins 20190404
