Bug#154788: boot-floppies,www.debian.org: release notes give incorrect advice to ssh users, and attempt to subvert the package maintainer

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#154788: boot-floppies,www.debian.org: release notes give incorrect advice to ssh users, and attempt to subvert the package maintainer
From: Matthew Vernon <matthew@debian.org>
Date: Mon, 29 Jul 2002 23:57:39 +0100
Message-id: <[🔎] E17ZJSN-0007z9-00@ming.empire.pick.ucam.org>
Reply-to: Matthew Vernon <matthew@debian.org>, 154788@bugs.debian.org

Package: boot-floppies,www.debian.org
Version: N/A; reported 2002-07-29
Severity: critical
Tags: security
Justification: breaks unrelated software

Hi,

The paragraph:

"Please note that the ssh package in this release enables root logins
by default. (Disabled in 2.2) If you do not need this feature for
remote access to your system you should ensure that the
PermitRootLogin option in /etc/ssh/sshd_config is set to no after
upgrade for security reasons. To ensure dpkg never updates the file to
match new defaults, you can simply modify the file locally. Adding a
blank line is enough."

(in section 3.2.2) should be removed immediatly for these reasons:

a) installing the new package tells you the useful parts of this
information already (to wit, that the default has changed, and how to
set it back if you so wish)

b) it is factually incorrect (the postinst will offer to auto-generate
a new configuration file for you if you're upgrading from the 1.3
package, and do nothing in this regard otherwise); dpkg will not do
anything to the configuration file on upgrade to woody in any
case. Thus it will confuse people as to what is going on wrt
PermitRootLogin 

c) the wording is clearly designed to subvert the package maintainers'
default, and indeed with the security properties of this
setting. Without entering into a debate on the rights and wrongs of
this setting (since this is not the place to do so), it is absurd that
we should ship with a package and release notes that disagree with
each other; the release notes should go along with the packages in
question, so we at least appear to be consistent. If the author of
this section of the release notes (who was not me) disagrees with my
defaults for the ssh package, then there are other fora to air those
disagreements. 

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux ming 2.2.20 #4 Tue Jun 18 13:51:22 BST 2002 i686
Locale: LANG=C, LC_CTYPE=C



-- 
To UNSUBSCRIBE, email to debian-www-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Bug#154788: boot-floppies,www.debian.org: release notes give incorrect advice to ssh users, and attempt to subvert the package maintainer
  - From: "Chris Tillman" <tillman@voicetrak.com>

Prev by Date: Bug#153785: marked as done (www.debian.org: a lot of typos in dutch woody anouncement)
Next by Date: Tuxcds listing
Previous by thread: Bug#153785: spelfouten in pagina http://www.debian.org/News/2002/20020719
Next by thread: Bug#154788: boot-floppies,www.debian.org: release notes give incorrect advice to ssh users, and attempt to subvert the package maintainer
Index(es):
- Date
- Thread