Bug#1006631: lintian: Recommend moving D-Bus policy files from /etc to /usr
Package: lintian
Version: 2.114.0
Severity: wishlist
dbus supports policy files in both /usr/share/dbus-1/system.d and
/etc/dbus-1/systemd. I recently released dbus 1.14.0, which officially
deprecates installing packages' default policies into /etc/dbus-1/systemd,
instead reserving it for the sysadmin. This is the same idea as the
difference between /lib/udev/rules.d and /etc/udev/rules.d.
It would be useful for Lintian to have a dbus-policy-in-etc tag, mirroring
udev-policy-in-etc. I attach an implementation (based on commit 11926263,
and might need rebasing on current git, which I can't do because salsa
is down at the moment).
/usr/share/dbus-1 has worked since Debian 9, and the transition from
/etc/dbus-1 to /usr/share/dbus-1 is already about ⅓ complete:
/usr/share/dbus-1/system.d is currently used by 75 policy files in 61
binary packages, while /etc/dbus-1/system.d is used by 135 files in
124 binary packages.
Thanks,
smcv
>From 34fffb40208ec3241f1af43670fa55751f7af474 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Mon, 28 Feb 2022 19:43:41 +0000
Subject: [PATCH] desktop/dbus: Check for dbus policy files installed into /etc
dbus 1.14.0 officially deprecates this, following the same principles
used for udev rules. /etc/dbus-1 is now reserved for the sysadmin
(analogous to /etc/udev), and OS packages should use /usr/share/dbus-1
(analogous to /lib/udev).
Signed-off-by: Simon McVittie <smcv@debian.org>
---
lib/Lintian/Check/Desktop/Dbus.pm | 3 +++
.../dbus/dbus-policy/build-spec/debian/install | 1 +
.../share}/dbus-1/system.d/at-console.conf | 0
.../checks/desktop/dbus/dbus-policy/eval/hints | 5 +++--
tags/d/dbus-policy-in-etc.tag | 16 ++++++++++++++++
5 files changed, 23 insertions(+), 2 deletions(-)
rename t/recipes/checks/desktop/dbus/dbus-policy/build-spec/orig/{etc => usr/share}/dbus-1/system.d/at-console.conf (100%)
create mode 100644 tags/d/dbus-policy-in-etc.tag
diff --git a/lib/Lintian/Check/Desktop/Dbus.pm b/lib/Lintian/Check/Desktop/Dbus.pm
index e49e63c2e..582a5263c 100644
--- a/lib/Lintian/Check/Desktop/Dbus.pm
+++ b/lib/Lintian/Check/Desktop/Dbus.pm
@@ -74,6 +74,9 @@ my $PROPERTIES = 'org.freedesktop.DBus.Properties';
sub check_policy {
my ($self, $item) = @_;
+ $self->pointed_hint('dbus-policy-in-etc', $item->pointer)
+ if $item->name =~ m{^etc/};
+
my $xml = $item->decoded_utf8;
return
unless length $xml;
diff --git a/t/recipes/checks/desktop/dbus/dbus-policy/build-spec/debian/install b/t/recipes/checks/desktop/dbus/dbus-policy/build-spec/debian/install
index ee19d5d17..a75e23712 100644
--- a/t/recipes/checks/desktop/dbus/dbus-policy/build-spec/debian/install
+++ b/t/recipes/checks/desktop/dbus/dbus-policy/build-spec/debian/install
@@ -1 +1,2 @@
etc
+usr
diff --git a/t/recipes/checks/desktop/dbus/dbus-policy/build-spec/orig/etc/dbus-1/system.d/at-console.conf b/t/recipes/checks/desktop/dbus/dbus-policy/build-spec/orig/usr/share/dbus-1/system.d/at-console.conf
similarity index 100%
rename from t/recipes/checks/desktop/dbus/dbus-policy/build-spec/orig/etc/dbus-1/system.d/at-console.conf
rename to t/recipes/checks/desktop/dbus/dbus-policy/build-spec/orig/usr/share/dbus-1/system.d/at-console.conf
diff --git a/t/recipes/checks/desktop/dbus/dbus-policy/eval/hints b/t/recipes/checks/desktop/dbus/dbus-policy/eval/hints
index 164613fd4..60660677c 100644
--- a/t/recipes/checks/desktop/dbus/dbus-policy/eval/hints
+++ b/t/recipes/checks/desktop/dbus/dbus-policy/eval/hints
@@ -4,5 +4,6 @@ dbus-policy (binary): dbus-policy-without-send-destination <policy context="defa
dbus-policy (binary): dbus-policy-without-send-destination <policy context="default"><allow send_interface="org.freedesktop.DBus.ObjectManager"/> [etc/dbus-1/system.d/send-destination.conf:3]
dbus-policy (binary): dbus-policy-excessively-broad <policy context="default"><allow send_path="/com/example/Here"/> [etc/dbus-1/system.d/send-destination.conf:5]
dbus-policy (binary): dbus-policy-excessively-broad <policy context="default"><allow send_member="AreYouReallySureThisMethodIsAlwaysOK"/> [etc/dbus-1/system.d/send-destination.conf:4]
-dbus-policy (binary): dbus-policy-at-console <policy at_console="true"><allow send_destination="com.example.Service"/> [etc/dbus-1/system.d/at-console.conf:3]
-dbus-policy (binary): dbus-policy-at-console <policy at_console="true"><allow send_destination="com.example.Other"/> [etc/dbus-1/system.d/at-console.conf:4]
+dbus-policy (binary): dbus-policy-in-etc [etc/dbus-1/system.d/send-destination.conf]
+dbus-policy (binary): dbus-policy-at-console <policy at_console="true"><allow send_destination="com.example.Service"/> [usr/share/dbus-1/system.d/at-console.conf:3]
+dbus-policy (binary): dbus-policy-at-console <policy at_console="true"><allow send_destination="com.example.Other"/> [usr/share/dbus-1/system.d/at-console.conf:4]
diff --git a/tags/d/dbus-policy-in-etc.tag b/tags/d/dbus-policy-in-etc.tag
new file mode 100644
index 000000000..b126f877b
--- /dev/null
+++ b/tags/d/dbus-policy-in-etc.tag
@@ -0,0 +1,16 @@
+Tag: dbus-policy-in-etc
+Severity: warning
+Check: desktop/dbus
+Explanation: The package contains D-Bus policy configuration and installs it
+ under <code>/etc/dbus-1/system.d</code> or
+ <code>/etc/dbus-1/session.d</code>. These directories are reserved for
+ local configuration, which overrides the default policies in
+ <code>/usr</code>.
+ .
+ The correct directory for system bus policy installed by packages is
+ <code>/usr/share/dbus-1/system.d</code>.
+ .
+ The correct directory for session bus policy installed by packages
+ (not usually needed) is <code>/usr/share/dbus-1/session.d</code>.
+See-Also:
+ dbus-daemon(1)
--
2.35.1
Reply to: