Bug#714796: ferm: modifies conffiles (policy 10.7.3): /etc/default/ferm
On 2014-03-16 11:45, Christian Kastner wrote: > On 2013-07-02 23:41, Andreas Beckmann wrote: >> during a test with piuparts I noticed your package modifies conffiles. >> This is forbidden by the policy > >> debsums reports modification of the following files, >> from the attached log (scroll to the bottom...): >> >> /etc/default/ferm > > The problem is that postinst unconditionally overwrites the value of the > ENABLED= variable in /etc/default/ferm with whatever was stored in debconf. > > I just experienced this during an upgrade whereby I explicitly disabled > ferm by setting ENABLED=no yet after the upgrade, it was ENABLED=yes. > This resulted in me being locked out of the system. > > The attached trivial patch fixes this by using the debconf value only as > the default, when no ENABLED= is present. Eh, I just noticed that the original value was quoted, which I didn't do. Updated patch attached. Christian >From f0fbd0876e8bbbdbedb04955219ce4b8f2f53bef Mon Sep 17 00:00:00 2001 From: Christian Kastner Date: Sun, 16 Mar 2014 11:30:24 +0100 Subject: [PATCH] Do not unconditionally overwrite ENABLED= in /etc/default/ferm --- debian/ferm.postinst | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/debian/ferm.postinst b/debian/ferm.postinst index 0f8ea64..f13c9b8 100644 --- a/debian/ferm.postinst +++ b/debian/ferm.postinst @@ -37,10 +37,7 @@ if [ "$action" = configure ]; then # If the admin deleted or commented some variables but then set # them via debconf, (re-)add them to the configuration file grep -Eq '^ *ENABLED=' /etc/default/ferm || \ - echo "ENABLED=" >> /etc/default/ferm - -# substitute value -sed -i "s/^ENABLED=.*$/ENABLED=\"$VALUE\"/" /etc/default/ferm + echo "ENABLED=\"$VALUE\"" >> /etc/default/ferm # make the firewall configuration readable only by root and group adm if [ -d /etc/ferm ]; then -- 1.9.0
Bug#714796: ferm: modifies conffiles (policy 10.7.3): /etc/default/ferm
tag 714796 + patch thanks On 2013-07-02 23:41, Andreas Beckmann wrote: > during a test with piuparts I noticed your package modifies conffiles. > This is forbidden by the policy > debsums reports modification of the following files, > from the attached log (scroll to the bottom...): > > /etc/default/ferm The problem is that postinst unconditionally overwrites the value of the ENABLED= variable in /etc/default/ferm with whatever was stored in debconf. I just experienced this during an upgrade whereby I explicitly disabled ferm by setting ENABLED=no yet after the upgrade, it was ENABLED=yes. This resulted in me being locked out of the system. The attached trivial patch fixes this by using the debconf value only as the default, when no ENABLED= is present. Christian >From 52f20b4c7483847efcc121135f3fb91469e22a98 Mon Sep 17 00:00:00 2001 From: Christian Kastner Date: Sun, 16 Mar 2014 11:30:24 +0100 Subject: [PATCH] Do not unconditionally overwrite ENABLED= in /etc/default/ferm --- debian/ferm.postinst | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/debian/ferm.postinst b/debian/ferm.postinst index 0f8ea64..84b1146 100644 --- a/debian/ferm.postinst +++ b/debian/ferm.postinst @@ -37,10 +37,7 @@ if [ "$action" = configure ]; then # If the admin deleted or commented some variables but then set # them via debconf, (re-)add them to the configuration file grep -Eq '^ *ENABLED=' /etc/default/ferm || \ - echo "ENABLED=" >> /etc/default/ferm - -# substitute value -sed -i "s/^ENABLED=.*$/ENABLED=\"$VALUE\"/" /etc/default/ferm + echo "ENABLED=$VALUE" >> /etc/default/ferm # make the firewall configuration readable only by root and group adm if [ -d /etc/ferm ]; then -- 1.9.0
Bug#714796: ferm: modifies conffiles (policy 10.7.3): /etc/default/ferm
Package: ferm Version: 2.2-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package modifies conffiles. This is forbidden by the policy, see http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files 10.7.3: "[...] The easy way to achieve this behavior is to make the configuration file a conffile. [...] This implies that the default version will be part of the package distribution, and must not be modified by the maintainer scripts during installation (or at any other time)." Note that once a package ships a modified version of that conffile, dpkg will prompt the user for an action how to handle the upgrade of this modified conffile (that was not modified by the user). Further in 10.7.3: "[...] must not ask unnecessary questions (particularly during upgrades) [...]" If a configuration file is customized by a maintainer script after having asked some debconf questions, it may not be marked as a conffile. Instead a template could be installed in /usr/share and used by the postinst script to fill in the custom values and create (or update) the configuration file (preserving any user modifications!). This file must be removed during postrm purge. ucf(1) may help with these tasks. See also http://wiki.debian.org/DpkgConffileHandling In https://lists.debian.org/debian-devel/2012/09/msg00412.html and followups it has been agreed that these bugs are to be filed with severity serious. debsums reports modification of the following files, from the attached log (scroll to the bottom...): /etc/default/ferm cheers, Andreas ferm_2.2-1.log.gz Description: GNU Zip compressed data