Re: Bug#474275: please preseed if X11 Forwarding should be allowed

To: Patrick Winnertz <winnie@debian.org>, 474275@bugs.debian.org
Cc: debian-edu@lists.debian.org
Subject: Re: Bug#474275: please preseed if X11 Forwarding should be allowed
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 4 Apr 2008 18:42:24 +0100
Message-id: <[🔎] 20080404174223.GQ16526@riva.ucam.org>
In-reply-to: <[🔎] 200804041848.36355.winnie@debian.org>
References: <[🔎] 200804041848.36355.winnie@debian.org>

severity 474275 wishlist
thanks

On Fri, Apr 04, 2008 at 06:48:27PM +0200, Patrick Winnertz wrote:
> Package: openssh-server
> Version: 1:4.7p1-7
> Severity: whishlist

Please spell "wishlist" thus; it saves me having to correct it after the
fact.

> I'm one of the Debian Edu Developers and we have currently a Worksession in 
> Extremadura. During this worksession we try to find a solution for our 
> long standing bug #311188, which is kind of release critical. 
> 
> Since we've to modify your package in order to change the X11 Forwarding 
> option for our needs I would like to ask you to include the patch written 
> by me.

The explanation you give of why one might want to turn off X11
forwarding is not very convincing to me. It doesn't use any bandwidth
unless you explicitly request it (it's off by default in the client),
and if you explicitly requested it then there was probably a reason for
that.

Looking at the debian-edu-config code, you appear to be using it to turn
*on* X11 forwarding. Are you aware that X11 forwarding has been enabled
by default in openssh-server since version 1:4.2p1-1?

> -Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev
> +Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev, po-debconf

I won't build-depend on po-debconf or run debconf-updatepo automatically
in debian/rules. It causes far too many unnecessary diffs in revision
control and so on. I don't find it difficult to run it by hand when
necessary.

> +check_x_forwarding() {
> +    db_get ssh/enable_x_forwarding
> +    if [ "$RET" = true ]; then
> +        set_config_option X11Forwarding yes
> +    else
> +        set_conf_option X11Forwarding no
> +    fi
> +}

Clearly not tested. :-)

>  move_subsystem_sftp() {
>  	subsystem_sftp="$(get_config_option 'Subsystem sftp')"
> @@ -227,6 +235,8 @@
>  		    remove_obsolete_gssapi
>  		fi
>  
> +        check_x_forwarding
> +
>  		return 0
>  	    fi
>  	fi

This is odd positioning. Anything in that block should be guarded with a
version check. At any rate, surely you're more concerned about fresh
installations (you mentioned preseeding)?

In summary, I'm inclined to close this as unnecessary, but would like to
hear your response to the above.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- please preseed if X11 Forwarding should be allowed
  - From: Patrick Winnertz <winnie@debian.org>

Prev by Date: please preseed if X11 Forwarding should be allowed
Next by Date: Re: please preseed if X11 Forwarding should be allowed
Previous by thread: please preseed if X11 Forwarding should be allowed
Next by thread: Re: please preseed if X11 Forwarding should be allowed
Index(es):
- Date
- Thread