Re: Bug#15859: libc6 in stable is horribly broken
Scott Ellis <storm@gate.net> writes:
> I HAVEN'T HEARD ANY REASONS WHY UTMP CORRUPTION IS SO EVIL THAT WE
> NEED TO MAKE ANYONE WHO WANTS TO RUN A FEW LIBC6 PROGRAMS ON BO GO
> THROUGH HELL.
Say you're an ISP running Debian (bo) on a bunch of machines (and
these people do exist). Now say you take dpkg and add libc6 because
you want the latest proftpd, and at the same time decide you want the
latest rxvt (for whatever reason).
Now, without any warning from dpkg (with your suggested approach), you
have a broken system where it's no longer possible to tell who's
currently logged in or even who was logged in in the past. That data
is lost.
This is not likely to make us any friends. The only possible approach
I can see (other than what we're doing now) would be to force all the
libc6 packages that touch utmp to carry the "wtmp compatible libc5"
dependency. Then upgrading one of those would force you to upgrade
libc5. But determining what belongs in that list without a source
search may be non-trivial.
> If you don't upgrade anything that deals with utmp to libc6, you
> don't have any problems).
The problem is that maybe *you* know what packages those are, but most
users expect to be able to upgrade without major system services
breaking if dpkg/dselect doesn't indicate that there's a problem.
Your approach would cause silent failures.
Imagine that (given the eariler example) the ISP upgrades the stuff,
then a week later realizes that someone may be trying to hack their
system. The go to "who" (and friends) to see what's going on, and
they get an empty listing. This is going to cause someone to need
heartburn medication.
(Hope I've got my facts straight and I'm not overlooking something
obvious.)
--
Rob Browning <rlb@cs.utexas.edu>
PGP fingerprint = E8 0E 0D 04 F5 21 A0 94 53 2B 97 F5 D6 4E 39 30
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: