Bug#535577: debian-policy: what to do with user-generated data (databases) on purge
On Fri, Jul 03 2009, Bas Zoetekouw wrote:
> Currently, policy is rather unclear on what to do with user-generated
> content, such as the content of databases, on purge. Afaics, the only
> cases that are mentioned are those of conffiles and log files (both of
> which are to be removed at purge).
> I would argue that databses and such should NOT be removed on purge
> without asking the user explicitly
I would agree that the data owner or custodian should be making
this decision, not the vendor.
> The immediate cause of me filing this bug, was the apt-get upgrade I
> just did, which upgraded postgres-8.3 to postgres-8.4 on my system.
> However, postgres apparently doesn't automatically migrate the user
> data to the next version, but still postgress-8.3 was marked as
> candidate for autoremoval. When I autoremoved the packages (with
> --purge), I did't notice postgres-8.3 in the list, an I certainly
> didn't expect it to eat my databases without asking me first.
> Sure, I should have paid more attention, but I still think that we
> shoudl try to protect users like me from themselves liek this, and at
> least _ask_ before removing databases (and other data).
I think this is a valid case for the use of debconf (after
testing to see it is still available) in the postinst.
While the actions seems fairly clear in this case, I think the
reason we have not standardized a policy rule for the general case is
that it is not so clear what is to be done with user dat, say, in case
of a game high scores file. In that case, it is not unreasonable to
purge the high scores along with the package.
So, by leaving it out of policy, we were leaving it to a case by
case determination by individual developers, hoping that the developer
would be best suited for determining the best course of action for the
data used by their package.
Having said that, it would probably be a good idea t codify that
sentiment in policy (take a hard look at the potential impact of
purging data created by your package, and ask the system
owner/custodian [in lieu of the data owner/custodian] what should be
done about the data if the potential impact could be major), and say
that only "inconsequential" data should be purged without asking. Yes,
that is ambiguous, but we may treat developers as having the judgment
to best resolve the ambiguity for their case, no?
"Sometimes insanity is the only alternative" button at a Science Fiction
Manoj Srivastava <email@example.com> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C