Bug#904558: What should happen when maintscripts fail to restart a service

To: 904558@bugs.debian.org
Subject: Bug#904558: What should happen when maintscripts fail to restart a service
From: Stuart Prescott <stuart@debian.org>
Date: Wed, 19 Sep 2018 12:18:24 +1000
Message-id: <[🔎] 5ba1b1f4.1c69fb81.76520.e4bd@mx.google.com>
Reply-to: Stuart Prescott <stuart@debian.org>, 904558@bugs.debian.org
References: <877elkdkkg.fsf@silentflame.com> <[🔎] 3cc0506dbe96f9a7a1c6f417843d5ef2@debian.org> <877elkdkkg.fsf@silentflame.com> <23457.10256.62309.426146__20282.7501729645$1537288280$gmane$org@chiark.greenend.org.uk> <877elkdkkg.fsf@silentflame.com>

Ian Jackson wrote:
>> I personally think that it would make sense for the policy to at least
>> recommend what should happen with regards to maintainer scripts and
>> typical operations that are performed in them.
> 
> There is already a section on error handling in scripts, which (IMO
> correctly) says that shell scripts should use set -e.
> 
> When I wrote that, it didn't occur to me that anyone would think that
> a failure by a postinst script to perform an intended operation should
> be treated any other way than a failure of the postinst script.

That was perhaps also written before we started to realise that maintainer 
scripts are actually best avoided as they tend to be complicated, fragile, 
difficult to do right and make upgrades harder for the package manager. In 
the intervening two decades, we've gone from "maintainer scripts are cool" 
to "the best maintainer script is the one that doesn't exist".

So yes, ignoring errors seems wrong but…

>> And, while I'm open to be convinced otherwise, I don't see any benefit
>> from postinst (particularly postinst + configure) ever failing.
> 
> Frankly I'm disturbed to be reading this, here.  See above.
> 
> If the postinst fails, then the user has the opportunity to fix the
> root cause and rerun dpkg-source --configure --pending.  That will
> then repair the system completely.

… causing a snowball of errors in an awkward half-upgraded environment is 
nasty.

The problem comes when you don't yet have the right tools installed to be 
able to fix the problem. We see that scenario often enough in #debian where 
someone has a failed upgrade and we try to collect more information via 
pastebinit, strace, traceroute, netcat, gdb, etc; we frequently discover 
that the relevant tool isn't installed and because apt is sufficiently 
unhappy about broken packages and a half-completed upgrade, you can't ask it 
to install the tool at that point in time.

In the upgrade scenario, while you're trying to fix one particular problem, 
you're also in a completely untested half-upgraded situation and so latent 
bugs in any number of other tools may also be exposed.

So while ignoring errors is wrong, so is making it harder to fix them. This 
isn't a question of absolutes.

cheers
Stuart

-- 
Stuart Prescott    http://www.nanonanonano.net/   stuart@nanonanonano.net
Debian Developer   http://www.debian.org/         stuart@debian.org
GPG fingerprint    90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7

Reply to:

Follow-Ups:
- Bug#904558: What should happen when maintscripts fail to restart a service
  - From: Gunnar Wolf <gwolf@debian.org>
- Bug#904558: What should happen when maintscripts fail to restart a service
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Bug#904558: What should happen when maintscripts fail to restart a service
  - From: Margarita Manterola <marga@debian.org>

Prev by Date: Bug#904558: What should happen when maintscripts fail to restart a service
Next by Date: Bug#904558: What should happen when maintscripts fail to restart a service
Previous by thread: Re: Bug#904558: What should happen when maintscripts fail to restart a service
Next by thread: Bug#904558: What should happen when maintscripts fail to restart a service
Index(es):
- Date
- Thread