Re: Package modifying a user-modified config file? [Bug #780797]

[Russ Allbery <rra@debian.org>]

Chris Knadle <Chris.Knadle@coredump.us> writes:

> At present the openssh-server and openssh-client packages are
> altering /etc/ssh/ssh_config and /etc/ssh/sshd_config without
> prompting the user beforehand, even when they've been locally
> modified.  I've pointed section § 10.7.3 of Debian Policy:

>    • local changes must be preserved during a package upgrade

>    (Appendix E also discusses this which I saw later)

> however the argument being made now is that "the particular section
> of the config being altered wasn't changed by the user".

Correct.  The Policy statement is about preserving user changes, not about
never touching any file that a user has modified in any way.  The package
is free to modify unchanged portions of the configuration file, and this
has been routinely done during package updates in Debian for as long as
I've been involved in the project.

> This is the current bug (severity serious):

>    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780797

I think the maintainer should downgrade the severity of this bug, since I
don't think it meets the definition of serious, but I'll leave that to
Colin.

Separately, I personally am not fond of this change and would rather that
it only take effect on new installations, not existing installations.  I
find the security argument for this change to be rather dubious.  But this
is not a Policy violation; it's a judgement call by the maintainer whether
the benefit of the change is worth the disruption of changed behavior on
upgrades.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>