Re: Bug#220437: cgiwrap.allow replaced by package upgrade

[<allomber@math.u-bordeaux.fr>]

On Wed, Nov 12, 2003 at 09:15:59PM +0100, Pierre Machard wrote:
> > I wanted all users to be allowed access by default, so I
> > removed the cgiwrap.allow file.  Ages later (when I'd
> > completely forgotten about it) a problem occurred because
> > that cgiwrap.allow file had been replaced during a routine
> > upgrade (must have been a security upgrade as I'm tracking
> > stable) and by default all users were denied access.
> 
> It is very strange since there was no security release for 
> this package. 
> 
> > It seems the problem is a conflict between the way Debian
> > does configuration files (if it's there it won't be touched,
> > but if it's not there it will be put there), and logic that
> > involves the presence or absence of a file.

Hello, I would like to point out that this statement is false:

Debian policy E.1.:

E.1. Automatic handling of configuration files by `dpkg'

     However, note that `dpkg' will _not_ replace a conffile that was
     removed by the user (or by a script).  This is necessary because with
     some programs a missing file produces an effect hard or impossible to
     achieve in another way, so that a missing file needs to be kept that
     way if the user did it.

So I wonder whether you purged the package and reinstalling without realizing.

Alternatively it might be a bug in a old version of the package that did
not register cgiwrap.allow as conffiles.

Cheers
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.