I'm calling for a vote on the following resolution regarding bug #329409. The only proposed amendment, by Raul, has been accepted; so this is the only option on the ballot (other than further discussion). I vote yes on this resolution. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/ WHEREAS 1. It is a limitation of the current device-mapper implementation in Debian that all device nodes managed by libdevmapper are created with the same hard-coded ownership and permissions; and 2. The standard owning group for disk device nodes is group "disk"; and 3. The sole reason for the existence of this group on Debian systems is to control access to disk devices; and 4. The majority of device-mapper nodes expose data that is already available to members of the disk group via the component disks; and 5. The use of a different owning group in these cases therefore makes accessing the data more inconvenient but not more secure; and 6. The exception to the above is dm-crypt, whereby device-mapper nodes expose data that is not available in unencrypted form from the component disks; and 7. No single owning group satisfies all possible use cases for device-mapper; but 8. Users of dm-crypt have the option of not adding users to the disk group that they do not wish to have access to their unencrypted dm-crypt volumes; THE TECHNICAL COMMITTEE: 9. THANKS Bastian Blank for his continued maintenance of the devmapper package in Debian; and 10. ALSO THANKS Roger Leigh for bringing this issue before the committee; and 11. ENCOURAGES the devmapper maintainer to work towards support for configurable device-mapper device permissions in Debian; and 12. DETERMINES that the correct default permissions for all device-mapper nodes is root:disk 0660, with or without support for configurable device permissions; and 13. ASKS (with a 3:1 majority: REQUIRES) the devmapper maintainer to implement these permissions in unstable by applying Roger Leigh's patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329409;msg=87;att=0; and 14. RECOMMENDS policy be updated to reflect this determination on default block device permissions; and 15. AUTHORIZES Roger to implement these same permissions in stable via a non-maintainer upload.
Attachment:
signature.asc
Description: Digital signature