Package: base-passwd Version: 3.6.1 Severity: wishlist
Hey there. Back then when #969631 was discussed, a number of arguments were brought forward why it would be nice and maybe even possible to migrate the UID of the _apt user on legacy installations to it's new UID from the globally reserved range. The changelog entry even says: > Note that this currently makes no attempt to migrate existing installations … currently. I just stumbled over this deviation when upgrading some servers at the university from bullseye to bookworm... and wondered whether there are still any plans to have such migration? As far as I understood the whole thread of #969631 it seems to me that all cases where a migration would actually cause problems are either very obscure (correct me if I'm wrong, but with file:/ and copy:/ ... isn't it typically so that these files will be world- readable?) and/or one would quickly notice them (i.e. when apt errors out because it cannot read something as _apt, unless it anyway falls back to do that as root). Not sure, but wouldn't the same be also the case with certificates (that cannot be automatically migrated to the new UID and thus may no longer be readable if that changes)? I mean a) this is quite an "advanced" setup so I think one can demand that people doing something like that read the release notes and would see a section about the changed UIDs... and even if not, their apt would either error out or fallback to root. Maybe I'm just too naive, but the biggest problem seems to me, if the sandboxing is silently lost (as people may indeed not see or ignore the warnings that it runs as root instead as _apt). Anyway... I'm not even asking for an automatic migration (though that would of course be the best if it could be done), but wouldn't it be possible to add some release notes for trixie, where people are advised about what happened, and how and under which circumstances they can manual migrate? E.g. AFAICS, all the servers I administer, have only three files owned by APT: /var/lib/apt/lists/partial /var/lib/apt/lists/auxfiles /var/cache/apt/archives/partial I don't do anything special with firewall or certs (like I guess many people will not),... so what if one simply instructs people, that, if they don't have any of these specific setups, they could simply bring their system "up-to-date" with a list of given steps? That would give people at least the chance to align their setups with the "new" defaults... and even if many people may not read and/or do it, that still wouldn't make things worse as they're now. Cheers, Chris.
