Control: severity -1 important Hi. This bug report has been on my radar since it was filed, because it is RC and I maintain a package that (very indirectly) depends on rpm.
I think a more accurate summary of the issue is: rpm honours $HOME, and writes db files there, even when uid==0 I think this is correct behaviour by rpm. Programs (assuming they're net setuid, which rpm isn't) ought to trust and honour the environment variables provided by their callers. It is up to the caller to make sure the program is called in a reasonable way. I this case, sudo by default arranges for the environment and the uid to match. That is how sudo discharges that responsibility. But here the sysadmin has overridden that sudo setting. I think the system administrator who does this ought to expect the behaviour exhibited by rpm, and gets to keep all the resulting pieces. Overall, running things like apt as root but with a personal HOME (and other personal environment variables) is likely to cause many different kinds of lossage, of which the issue described here is only one. Incidentally, I do not use sudo. I wrote my own tool (available in chiark-really.deb), which does not adjust the environment at all. So I get to run as root but with my own usual personal environment. However, I do not start daemons, or do package management operations, in this environment. My personal environment variables including HOME are not appropriate for systemwide "production" activities. I discovered this many years ago the hard way: I had done some package upgrades without resetting my environment. One of the packages was cron. cron, and all of its children, therefore inherited my personal environment. This caused some quite strange behaviours in some cron jobs. When I discovered this, it became obvious to me that none of this was the fault of cron, or apt, or of the cron jobs. It was my own fault for running apt with my personal environment. I am going to downgrade this bug report. Personally I think it ought to be closed, but I will limit my intervention to that necessary to get my own package off the autoremoval list. Thanks, Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
