[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#535577: debian-policy: what to do with user-generated data (databases) on purge

On Fri, Jul 03 2009, Bas Zoetekouw wrote:

> Currently, policy is rather unclear on what to do with user-generated
> content, such as the content of databases, on purge.  Afaics, the only
> cases that are mentioned are those of conffiles and log files (both of
> which are to be removed at purge).

> I would argue that databses and such should NOT be removed on purge
> without asking the user explicitly

        I would agree that the data owner or custodian should be making
 this decision, not the vendor.

> The immediate cause of me filing this bug, was the apt-get upgrade I
> just did, which upgraded postgres-8.3 to postgres-8.4 on my system.
> However, postgres apparently doesn't automatically migrate the user
> data to the next version, but still postgress-8.3 was marked as
> candidate for autoremoval.  When I autoremoved the packages (with
> --purge), I did't notice postgres-8.3 in the list, an I certainly
> didn't expect it to eat my databases without asking me first.
> Sure, I should have paid more attention, but I still think that we
> shoudl try to protect users like me from themselves liek this, and at
> least _ask_ before removing databases (and other data).

        I think this is a valid case for the use of debconf (after
 testing to see it is still available) in the postinst.

        While the actions seems fairly clear in this case, I think the
 reason we have not standardized a policy rule for the general case is
 that it is not so  clear what is to be done with user dat, say, in case
 of a game high scores file. In that case, it is not unreasonable to
 purge the high scores along with the package.

        So, by leaving it out of policy, we were leaving it to a case by
 case determination by individual developers, hoping that the developer
 would be best suited for determining the best course of action for the
 data used by their package.

        Having said that, it would probably be a good idea t codify that
 sentiment in policy (take a hard look at the potential  impact of
 purging  data created by your package, and ask the  system
 owner/custodian [in lieu of the data owner/custodian] what should be
 done about the data if the potential impact could be major), and say
 that only "inconsequential" data should be purged without asking. Yes,
 that is ambiguous, but we may treat developers as having the judgment
 to best resolve the ambiguity for their case, no?

"Sometimes insanity is the only alternative" button at a Science Fiction
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: