Re: Package modifying a user-modified config file? [Bug #780797]

To: debian-qa@lists.debian.org
Subject: Re: Package modifying a user-modified config file? [Bug #780797]
From: Chris Knadle <Chris.Knadle@coredump.us>
Date: Sat, 21 Mar 2015 16:31:51 -0400
Message-id: <[🔎] 550DD537.2080606@coredump.us>
In-reply-to: <[🔎] 87egoif6r3.fsf@hope.eyrie.org>
References: <[🔎] 550DC4DC.1080806@coredump.us> <[🔎] 87egoif6r3.fsf@hope.eyrie.org>

On 03/21/2015 04:14 PM, Russ Allbery wrote:
> Chris Knadle <Chris.Knadle@coredump.us> writes:
> 
>> At present the openssh-server and openssh-client packages are
>> altering /etc/ssh/ssh_config and /etc/ssh/sshd_config without
>> prompting the user beforehand, even when they've been locally
>> modified.  I've pointed section § 10.7.3 of Debian Policy:
> 
>>    • local changes must be preserved during a package upgrade
> 
>>    (Appendix E also discusses this which I saw later)
> 
>> however the argument being made now is that "the particular section
>> of the config being altered wasn't changed by the user".
> 
> Correct.  The Policy statement is about preserving user changes, not about
> never touching any file that a user has modified in any way.  The package
> is free to modify unchanged portions of the configuration file, and this
> has been routinely done during package updates in Debian for as long as
> I've been involved in the project.

:-(  Okay.  That I didn't know.  There's an extent to which this is
understandable, and an extent to which it's a bit frightening because
it means I can't know what I'll be notified concerning changes to my
own config files and therefore how my system runs.

>> This is the current bug (severity serious):
> 
>>    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780797
> 
> I think the maintainer should downgrade the severity of this bug, since I
> don't think it meets the definition of serious, but I'll leave that to
> Colin.
> 
> Separately, I personally am not fond of this change and would rather that
> it only take effect on new installations, not existing installations.  I
> find the security argument for this change to be rather dubious.  But this
> is not a Policy violation; it's a judgement call by the maintainer whether
> the benefit of the change is worth the disruption of changed behavior on
> upgrades.

Yeah I wish this had been for new installations only rather than
changing the current configs without prompting, but as long as it's
not a policy violation this concern of mine is essentially moot.

Thank you very much for taking the time to answer this.

   -- Chris

-- 
Chris Knadle
Chris.Knadle@coredump.us

Reply to:

Follow-Ups:
- Re: Package modifying a user-modified config file? [Bug #780797]
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Package modifying a user-modified config file? [Bug #780797]
  - From: Chris Knadle <Chris.Knadle@coredump.us>
- Re: Package modifying a user-modified config file? [Bug #780797]
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Package modifying a user-modified config file? [Bug #780797]
Next by Date: Re: Package modifying a user-modified config file? [Bug #780797]
Previous by thread: Re: Package modifying a user-modified config file? [Bug #780797]
Next by thread: Re: Package modifying a user-modified config file? [Bug #780797]
Index(es):
- Date
- Thread