Bug#862485: fwsnort mustn't set iptables rules when purged

To: Adrian Bunk <bunk@debian.org>
Cc: 862485@bugs.debian.org
Subject: Bug#862485: fwsnort mustn't set iptables rules when purged
From: Axel Beckert <abe@debian.org>
Date: Sat, 13 May 2017 22:44:22 +0200
Message-id: <[🔎] 20170513204422.GS6510@sym.noone.org>
Reply-to: Axel Beckert <abe@debian.org>, 862485@bugs.debian.org
In-reply-to: <[🔎] 20170513181020.wdkwhjzcbfhhewea@localhost>
References: <[🔎] 149468419444.453.5347700095890788448.reportbug@localhost> <[🔎] 20170513172727.GQ6510@sym.noone.org> <[🔎] 20170513181020.wdkwhjzcbfhhewea@localhost>

Control: tag -1 + confirmed - moreinfo

Hi Adrian,

Adrian Bunk wrote:
> > > Tags: security
> > 
> > I also disagree with this tag.
> 
> messing up the iptables setup at an unexpected time can have bad 
> consequences.

bad != security

> > > A case could be made for "fwsnort --ipt-flush" in prerm.
> > 
> > This would be against the expectation of users that configurations,
> > settings etc. are removed on purge and not on removal.
> 
> When you remove (not purge) a package containing a webserver, do you 
> expect that the webserver is stopped or do you expect that the webserver
> is still running after removing the package?

Granted. Thanks for that comparison.

> > > Or considering that activating any fwsnort rules is not done
> > > automatically and that the package should not interfere with
> > > what the the admin has done.
> >
> > I disagree. I expect a package to clean up its changes on purge which
> > result on common usage. To be more specifically, seeing 11'000
> > iptables rules left on my system after pruging fwsnort with no chance
> > to remove them without reinstalling the package or removing 11'000
> > rules by hand. Not cleaning up these rules is a bug. And cleaning up
> > is a task for "purge", not for "remove".
> 
> "Remove an installed package. This removes everything except conffiles"
> This the dpkg (and similar in apt) description of what remove does.
> 
> A package that is removed but not purged is in the Config-Files states.
> This means the old configuration is still present if the package gets
> installed again.
> 
> Purging is supposed to remove the (at that point already unused)
> configuration files of the package.

Point taken. Will move that line (or an "fwsnort --ipt-flush") into a
(to be created) prerm and do another QA upload. (Unless you're already
onto it. Feel free to do that.)
 
		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply to:

Follow-Ups:
- Bug#862485: fwsnort mustn't set iptables rules when purged
  - From: Axel Beckert <abe@debian.org>

References:
- Bug#862485: fwsnort mustn't set iptables rules when purged
  - From: Adrian Bunk <bunk@debian.org>
- Bug#862485: fwsnort mustn't set iptables rules when purged
  - From: Axel Beckert <abe@debian.org>
- Bug#862485: fwsnort mustn't set iptables rules when purged
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Processed: Re: Bug#862485: fwsnort mustn't set iptables rules when purged
Next by Date: wvstreams is marked for autoremoval from testing
Previous by thread: Bug#862485: fwsnort mustn't set iptables rules when purged
Next by thread: Bug#862485: fwsnort mustn't set iptables rules when purged
Index(es):
- Date
- Thread