Your message dated Sun, 05 Aug 2012 21:23:13 +0100 with message-id <1344198193.21252.34.camel@jacala.jungle.funky-badger.org> and subject line Re: Bug#683472: unblock: xen-api/1.3.2-10 has caused the Debian Bug report #683472, regarding unblock: xen-api/1.3.2-10 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 683472: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683472 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: xen-api/1.3.2-10
- From: Thomas Goirand <zigo@debian.org>
- Date: Wed, 01 Aug 2012 10:19:06 +0800
- Message-id: <[🔎] 20120801021906.12107.82020.reportbug@buzig.gplhost.com>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package xen-api The current version in Wheezy suffers from a wrong default PAM setting of PAM, giving access to XAPI to any account on th server, as per: http://lists.xen.org/archives/html/xen-api/2012-07/msg00059.html Relevant diff: http://anonscm.debian.org/gitweb/?p=pkg-xen/xen-api.git;a=commitdiff;h=c75c43b2fd6ab55113023e6f9b6510f5cdd3573e So, please unblock xen-api/1.3.2-10 ASAP. Cheers, Thomas
--- End Message ---
--- Begin Message ---
- To: Thomas Goirand <zigo@debian.org>
- Cc: 683472-done@bugs.debian.org
- Subject: Re: Bug#683472: unblock: xen-api/1.3.2-10
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sun, 05 Aug 2012 21:23:13 +0100
- Message-id: <1344198193.21252.34.camel@jacala.jungle.funky-badger.org>
- In-reply-to: <[🔎] 501DE6C9.2050502@debian.org>
- References: <[🔎] 20120801021906.12107.82020.reportbug@buzig.gplhost.com> <[🔎] 1344095550.21252.17.camel@jacala.jungle.funky-badger.org> <[🔎] 501DE6C9.2050502@debian.org>
On Sun, 2012-08-05 at 11:21 +0800, Thomas Goirand wrote: > On 08/04/2012 11:52 PM, Adam D. Barratt wrote: > > The changelog and actual changes appear to disagree: > > > > + - Adds a xapi group. > > + - Configure PAM to only grant access to root and xapi groups. > > > > versus > > > > ++auth sufficient pam_succeed_if.so user ingroup root > > ++#auth sufficient pam_succeed_if.so user ingroup xapi [...] > It has been decided at the last moment, together with upstream (eg: Mike > from Citrix) that we would add the xapi group, but only provide the pam > configuration with disabled access to XAPI for the members of this > group, for security purpose, and to force the admins to understand how > it worked. Then the changelog shouldn't suggest that installing the new version allows members of the new group to gain the access without any further action. > To provide access to a user to XAPI, an administrator would have to add > such user into the XAPI group, then uncomment the above line. > > So, even though it could have been mentioned in the changelog, I think > it is fine the way it is right now. If you feel we should, I don't mind > mentioning it in the README.Debian. Well, the point of the changelog is rather to document the changes, not something that's kinda sorta close to the changes. I've unblocked the package, but the existence of the group and its use should really be documented. Indeed, given that this is a behavioural change from the previous version of the package, a NEWS.Debian mention would quite possibly be appropriate. Regards, Adam
--- End Message ---