Re: horse carcas flogging (was: traceroute in /usr/bin, not /usr/sbin)

[Rene Weber <rene_deblist@elvenlord.com>]

    Hello,

On Sun, Jun 17, 2001 at 03:22:58PM -0800, Ethan Benson wrote:
> well assuming debian accepts the co-editors word as that of the word
> of god, one of two things need to happen:

    Yes assuming that.  (Although "the word of god is overstating it just a
tad, don't you think?)  See my other mail[1] for my rationale and questions
regarding how authoritative the FHS co-editor is with regards to Debian
Policy.

> traceroute moved.
> traceroute shipped non-suid.

    You are of course omitting the other option that a lot of people have
been mentioning, making a symlink that will preserve our FHS compatibility
at the minimal cost of its ugliness.  I submit that that is the best option
available to us if we are not willing to modify Debian Policy.  (As you can
infer, yet another option is to modify Debian Policy to reduce our stated
compliance with the FHS.  We now have (at least) four options available.
Isn't it nice to have choices?)

> i disagree with your statement that the maintainer has NO discretion,

    Please note that I made no such explicit statement.  I stated that "I
also take this to mean that there is no maintainer discretion,"[2] and I
explicitly solicited opinions to the contrary.  That was my interpretation
of what the FHS co-editor said, and thus was a restatement of what I thought
Rusty meant, not my own statement.  I am open to the question if the
maintainer has any discretion, although I have an opinion that is already
formed.

> i think rusty's remarks make that clear:  `assuming traceroute is
> setuid' the maintainer decides whats setuid in his package.  debian
> has shipped many traditionally setuid binaries non-setuid for a long
> time (dump and restore for example).  

    My question as to the maintainer's discretion assumed all else being
equal, I suppose I should have made that clear.  Certainly the maintainer
could modify the package so that it could belong in /usr/sbin -- he could
remove all functionality for users unless the root password could be
provided, for example -- that is not the point.  My question is, if the
package remains as it is, does the maintainer have the option of ignoring
both a definition in the FHS and an explicit clarification.  As I have
argued elsewhere[3], it is possible that the "must" in Debian Policy[4] does
allow this (although I am skeptical of that right now).  We shall have to
see if anyone argues that interpretation.

    Surely, removing the setuid bit is an option.  I submit that it is a bad
idea, but that is at the discretion of the maintainer.  (I do reserve the
option of complaining if this is implemented, but for the purposes of FHS
compliance, this seems to be a valid choice.)  Of course, shipping
traceroute non-setuid will probably cause even more bug reports and
complaints on debian-devel.

    Yes, there are many ways to shut me up.  As long as we are not lying
about our FHS compliance, I will be quiet on that score.

Rene, who also has the agenda of being able to swiftly stop this thread next
    time it resurfaces, but that is secondary to ensuring that we are not
    flagrantly ignoring Debian Policy as written.

References:
[1] Message-ID: <[🔎] 20010618014156.A3986@bauhaus.dhs.org>, as it is not yet
    archived on <http://lists.debian.org/>
[2] <http://lists.debian.org/debian-devel-0106/msg01005.html>
[3] <http://lists.debian.org/debian-devel-0106/msg01006.html>
[4] <http://www.debian.org/doc/debian-policy/ch-opersys.html> as modified by
    <http://bugs.debian.org/98291>


-- 
+---           (Rene Weber is <rene_autoreply@elvenlord.com>)          ---+
|                    Put no trust in cryptic comments.                    |
+---  E-Mail Policy & web page: <http://satori.home.dhs.org/~rweber/>  ---+