Hi On Sat, Apr 22, 2006 at 01:18:09PM +0200, Thomas Huriaux wrote: > Hi again, > > Ola Lundqvist <[EMAIL PROTECTED]> (22/04/2006): > > On Fri, Apr 21, 2006 at 10:52:40PM +0200, Thomas Huriaux wrote: > > > Ola Lundqvist <[EMAIL PROTECTED]> (21/04/2006): > > > > On Fri, Apr 21, 2006 at 07:35:01PM +0200, Thomas Huriaux wrote: > > Please tell me what is hard to understand with these notes instead. > > I have no problem to understand what these notes are saying. I just > don't understand their positions. Why in the installation process when > the actions will have to be taken after the installation and have no > direct relation with the package usability?
Because there are no way to display things at the end of the installation process, right? > > > > > Conclusion: If you want to keep the current philosophy of the package > > > > > without bothering users with pointless notes, you should take the > > > > > following actions: > > > > > * remove harden/welcome (or move it to a README.Debian file) > > > > It is already with priority low output, so I do not really agree. > > > > > > Even with a low priority, once again, imagine that every package > > > displays a note with "Hello, you are using the foobar package. You > > > can find more documentation blablabla...". It would simply make the low > > > priority unused by users. > > > > That is what you have low priority for. The default is medium and therefore > > you will not have them printed with the default option. So what is the > > problem? > > No, low priority is for very customized configuration options that > should not be displayed to the normal user during the installation. > Welcome notes should not exist, as advanced users don't care about these > notes and normal users won't see them as they don't want to have too > difficult questions to answer. What you are saying is that notes should not be used at all, even with low priority. I know that the manpage tell that it should be avoided but I still think it is valid in this situation. > > > > > * remove harden-*/plaintext and emphasize (if needed) the package > > > > > description about the conflicts > > > > But they are not for describing the conflicts. > > > > > > See above. > > > > > > > > * provide documentations such as README, manpage, ... for > > > > > harden-servers/inetd and harden-servers/vncserver (and of course > > > > > remove those notes) > > > > > > > > No I will not do this last point, unless inetd have changed their > > > > defaults of course. > > > > > > Still the same difference of opinion, i.e. something like that has no > > > added value during the package configuration process. > > > > BUT the package have NO use without the notes and the conflicts!!! It do > > not contain anything else. > > I indeed think that the only use of the package is to use the conflicts > field. And this is a good idea to avoid installing not secured packages. > But if I want to harden a system, I won't follow your debconf > instructions but read a complete documentation. I can agree that reading the full doc is what you should do. These notes are for new maintainers and therefore printed with low or medium priority. If it help I > > > I'm afraid our main disagreement is the distinction I made between > > > installation/configuration of a package and use of a package. It seems > > > for me that you consider you're using a package as soon as you start > > > to install it. > > In this case it is true as this is mostly a meta package with some > > additional help to the user. > > > > > If I'm right with this last statement, then I will change my > > > argumentation :-) > > > > > > Sorry to be so insistent for the removal of these debconf templates, but > > > one of my main activities within Debian is debconf-related QA and I'm > > > still convinced that you are using debconf where you should not. > > > That's why I really would like to see this issue fixed :-) > > > > Well I am still not convinced and as I have seen that this package is > > used by quite a few people I assume that people like the idea of it. > > I also think the Conflicts part is a good idea. However, the notes at > their current position aren't. > > > You are the first person to complain about these notes. > > No, I'm not, please read #144652 for example. That bug do not complain on the display of the message but rather that it do not have an intelligent check before displaying it. > I don't know exactly how your users are using your package, but I don't > think they are really using your notes to configure their systems. They > just take advantage of the Conflicts part, and use the normal > documentation to harden the rest of the system. > > I'm just reading the other bug reports, it seems that most (all?) of > them are asking conflicts and not new instructions (if we do not take > in account bugs that are not related with usage or were filled by you). Yes, and? These notes are the first most important general things to consider for a default installed system. > > If you get consensus about this on debian-devel (which I do not read > > by the way) or you can convince many people to answer this bug with > > the same opinion I may change my mind. > > > > You see the inetd note was created because users requested that inetd > > servers should be disabled by default when installing this package. I > > decided that it was not a good thing to change configuration so > > therefore I added this note. > > > > The plaintext password notes was added because that I could not find > > out a good way to configure all servers to use encryption, so that > > note was added. > > Once again, I don't think to stop the installation process to tell what > your package is not doing and what the user has to do manually is a good > idea. Then please file a bug report to debconf to tell that this function should be totally removed. For what else should these notes be, than to tell that the admin need to do something manually? > > I still do not understand why you are think they are so bad as these > > two things are quite important for hardening of a system. A better > > thing would of course be if I had implemented functions for editing > > inetd services and also to configure password handling for all clients > > and servers, but I have not really had the time to start such a big > > project. > > I don't think it is bad, but that the installation process is not the > place to display these notes. If you want to have a kind of interactive > list of instructions, I take back my idea of a binary, so that after > installing the packages, I can type "harden" when I want in a terminal, > and have a list of things I should do or I should check. Every time a > thing is done, I validate to have the following instruction. That's > where this kind of instructions should appear. But how do the user know that he/she should type harden? But if you want to provide me with such a binary (harden) then please do so. Summry: * I can consider to change the priority from medium to low * I can change the text to something better * If it exist an option to display things at the end of the installation process I can of course move the notes to that point. Regards, // Ola > Cheers, > > -- > Thomas Huriaux -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
