[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [tomcat8] 05/06: Change file permissions for Debian files to 640 in /etc/tomcat8.



On 15.08.2016 19:24, Moritz Muehlenhoff wrote:
> On Mon, Aug 15, 2016 at 06:42:31PM +0200, Markus Koschany wrote:
>> On 15.08.2016 18:31, Emmanuel Bourg wrote:
>>> On 08/15/2016 06:19 PM, Markus Koschany wrote:
>>>
>>>> This is the exact same change as currently in Stretch. This in an
>>>> improvement and has no negative effect.
>>>
>>> This change has landed in Stretch 4 days ago only, we don't have enough
>>> feedback on its impact. I suspect it may cause some problems in
>>> environments where the Tomcat configuration is expected to be world
>>> readable. I thought we agreed to keep that modification for Stretch only
>>> when we discussed about #825786 [1]:
>>>
>>>>> Ok, the stable patch shouldn't change the permissions to 640 though.
>>>>
>>>> Fine with me.
>>>
>>> Emmanuel Bourg
>>>
>>> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825786#75
>>
>> First of all I thought we had agreed that I take care of this security
>> update.
>>
>> I have prepared and tested this update and I came to the conclusion that
>> there is no need to revert the change from Stretch for Jessie again.
> 
> But we don't generall mix bugfix and security updates. There are a few
> exceptions - when when something was acked by stable release managers
> and then a security update happened before the release of the point
> update - but generally all non-security changes should to be acked by the 
> stable release managers.

Then we should make an exception here because it is a simple and tested
patch that obviously will benefit our users, security- and
configuration-wise.

If you read through #825786 you can clearly see that this is an
real-life issue for people who create _new_ files in /etc/tomcat{7,8}
while Emmanuel's objections are unfounded. There is a simple and obvious
solution and we should implement it rather sooner than later because
this issue happens on _every_ update.

The security team should be able to come to its own conclusions in this
case without having to ask the release managers and since Salvatore
already acknowledged the update, it seems this procedure is not uncommon.

As you know I have prepared all major Tomcat security updates for the
past year, updates that changed a lot more files than this update and
that were far more intrusive than this single change. You should also
know by now that they always met all quality standards and nobody has
ever reported a regression. I am taking responsibility for this update
but not for anything else.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: