[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#485562: twiki: configure script access badly protected

Quoting Olivier Berger (olivier.berger@it-sudparis.eu):

> > I think that the twiki/apacheUserCreationNote becomes useless now.
> > It is needed by the following bit of code:
> > 
> > # add info due to 3-4 bug reports
> > db_input high twiki/apacheUserCreationNote || true
> >
> > 
> > This is clear and blatant debconf abuse, I'm afraid. Interrupting
> > installs to give information that should be in README.Debian
> On this one point I agree, if policy recommends not doing so. Still,
> note that it is only "high" and not "critical" in the db_input, in
> config... So may not interrupt in all cases ?

Nearly all. "high" is the default priority for debconf so using a high
priority note is likely to interrupt most installations.

> But :
> >  and is
> > anyway obsoleted by the bit of code that gives admin rights to
> > ${configuser} makes this part irrelevant.
> > 
> No. 

OK, got the point. That was overreading the packaging stuff and
ignorance of Twiki internals.

> The "apacheUserCreationNote" relates to the wiki's internal users which
> need to be added to the wiki's group Main.TWikiAdminGroup, and not
> apache's, actually, so the template name is confusing.
> But asking the user to take care of this extra configuration step (after
> install) is not in any way obsoleted by the configuser being added in
> #485562's fix.
> > I propose removing that debconf note (shortly said: mandatory debconf
> > notes suck).
> > 
> Hmmm... The fact that after initial install it may be safest to review
> TWiki's internal privileges, and configure an admin user (member of
> Main.TWikiAdminGroup is something, is something that users should be
> warned of IMHO.

Sure, but that does not really make it part of a debconf
note. Otherwise, we could say the same of most packages and server

That brings us back to the good old days of debconf introduction where
maintainers were feeling the urge to "warn" administrators about each
and every other needed action.

The debconf author imself
felt the need to describe what debconf notes are meant for in the
debconf-devel man page. Basically he says that using notes should be
kept for cases where it is absolutely and urgently needed to  point
users at something.

As you describe it, I don't think that this is the case for that note.

Anyway, I leave it up to you to decide, with these arguments...:-)

Attachment: signature.asc
Description: Digital signature

Reply to: