Re: Some 2 year old proposals

To: debian-policy@lists.debian.org
Subject: Re: Some 2 year old proposals
From: Matt Zimmerman <mdz@debian.org>
Date: Thu, 21 Aug 2003 20:35:54 -0400
Message-id: <[🔎] 20030822003553.GE23625@alcor.net>
Mail-followup-to: Matt Zimmerman <mdz@debian.org>, debian-policy@lists.debian.org
In-reply-to: <[🔎] 87lltn0y0f.fsf@glaurung.green-gryphon.com>
References: <[🔎] 87lltn0y0f.fsf@glaurung.green-gryphon.com>

On Thu, Aug 21, 2003 at 11:35:28AM -0500, Manoj Srivastava wrote:

>      * #80343: [PROPOSAL] policy should say no files should be owned by         
>        "nobody"                                                                 
>        Package: debian-policy; Severity: wishlist; Reported by: "KORN Andras"   
>        <korn@chardonnay.math.bme.hu>; 2 years and 239 days old.                 
> 
> 	Hmm. Do people think this is required? Are there any
>  files/directories owned by "nobody"? If so, why is that not already a
>  bug? Should policy state, in effect, "do not create bugs in your
>  package"? 

mizar:[~] sudo find / -user nobody -ls |tee ~/temp/nobody 
1917287    4 drwxr-xr-x   2 nobody   nogroup      4096 Aug 16 23:05 /var/lib/ddt-client
1916940    0 prw-------   1 nobody   nogroup         0 Aug 20 11:07 /var/lib/ddt-client/fifo.in
1916947    0 prw-------   1 nobody   nogroup         0 Aug 20 11:07 /var/lib/ddt-client/fifo.out
180836    4 -rw-rw-rw-   1 nobody   games         308 Jul 13  2001 /var/lib/games/crossfire/temp.maps
1540811    4 -rw-rw-rw-   1 nobody   games        1130 Jul 13  2001 /var/log/crossfire/logfile
442784    4 drwxr-xr-x   2 nobody   nogroup      4096 Aug 16 23:05 /var/run/ddt
442934    4 -rw-r--r--   1 nobody   nogroup         4 Aug 16 23:05 /var/run/ddt/ddtcd.pid

The proposal also says the same thing about other users, like "daemon" and
"www-data", which are misused even more often than nobody.

It is far better for each service to run under a different uid, in order to
contain the breach in the event of a compromise.

But if "nobody" really doesn't make sense at all (and an argument could be
made), shouldn't we rather remove or deprecate it entirely rather than
restricting only its ownership of files?

>      * #82310: Provides: java-servlet-engine                                    
>        Package: debian-policy; Severity: wishlist; Reported by:                 
>        thom@planetarytramp.net (Thom May); 2 years and 216 days old.            
> 
> 	This seems to have stalled for over two years. What is the
>  status of this proposal?  Is a java-servlet-engine virtual package
>  feasible?

Once free Java implementations are up to the task, this would be useful.  We
already have a shared webapp directory (/usr/share/java/webapps) where java
applications can install themselves.  If they could also depend on a virtual
package provided by all servlet engines, java web applications could be
packaged very nicely.

Of course, as far as I know, none of the Java implementations in Debian can
run a servlet engine at this point.

-- 
 - mdz

Reply to:

References:
- Some 2 year old proposals
  - From: Manoj Srivastava <srivasta@golden-gryphon.com>

Prev by Date: Bug#82310: Provides: java-servlet-engine
Next by Date: Bug#206684: debian-policy: Proposal for going ahead with mandatory debconf use for prompting
Previous by thread: Bug#80343: Some 2 year old proposals
Next by thread: Explanation for recently retired proposals
Index(es):
- Date
- Thread