Re: How to change the severity of a bug to serious???

[Russ Allbery <rra@debian.org>]

Steve Langasek <vorlon@debian.org> writes:
> On Wed, Jan 24, 2007 at 07:44:35PM -0600, Jacques Normand wrote:

>> I am trying to change the bug #383889 to serious and make it release
>> critical. I have explained in it why I want it RC and the document at
>> http://release.debian.org/etch_rc_policy.txt lists that

>> * makes unrelated software on the system (or the whole system)
>>   break

>> is a reason for rc-bug. In this case, the whole desktop locks and there
>> is no easy way to unlock it. (Which is effectively breaking the system).

>> So how do I do that?

> You seem to have gotten your answer on the procedure, but your rationale
> for upgrading this particular bug is flawed.  The package doesn't render
> the system unusable, it's your misconfiguration of PAM that does so.

You cannot enable verify_ap_req_nofail unless everything that's going to
do PAM configuration can read the system keytab file.  Most of the screen
savers run as a normal user and can't read the keytab unless it's readable
by the user running the screen saver.

Later versions of pam-krb5 will support configuring it to look at a
different keytab so that you can provide a lower-privilege world-readable
keytab for this purpose.  Until then, you either want to leave the
Kerberos library default, which will verify the tickets if the keytab is
readable and otherwise skip that step, or make the system keytab readable
by any user who may run the screen saver.

For more information, see:

    <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399002>

The support alluded to in that bug is already implemented in the upstream
version of pam-krb5, but I also incorporated PKINIT support and the code
has been rather unstable.  I'm holding off upgrading the Debian package
until after the etch release.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>