Your message dated Fri, 07 May 2021 20:31:12 +0000 with message-id <E1lf77w-0005uB-Ll@respighi.debian.org> and subject line unblock lacme has caused the Debian Bug report #988216, regarding unblock: lacme/0.8.0-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988216: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988216 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: lacme/0.8.0-2
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Fri, 7 May 2021 22:10:40 +0200
- Message-id: <[🔎] YJWewBCxmqHOKosg@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team, Please unblock package lacme/0.8.0-2: [ Reason ] As of lacme 0.8.0-1 dedicated system users _lacme-* are created at install time and removed on purge. The later was done under the assumption that no file owned by these users is ever created on disk. While that is true with the default configuration, it's possible to configure lacme in a way that requires manual creation of a directory owned by one of these system users. The user in question (_lacme-client) should therefore *not* be deleted on purge. Cf. #988032. [ Impact ] In a non-default configuration, a directory owned by _lacme-client might be left after package removal. That system user is removed on purge, which could have security implications should its ID be recycled later. [ Tests ] Ensured _lacme-client remained after purging 0.8.0-2. [ Risks ] The fix is trivial with modifications in postrm only. Only _lacme-client needs to remain after package purge, but for symmetry I decided to keep _lacme-www as well. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock lacme/0.8.0-2 -- Guilhem.diffstat for lacme-0.8.0 lacme-0.8.0 changelog | 8 ++++++++ lacme.postrm | 15 --------------- 2 files changed, 8 insertions(+), 15 deletions(-) diff -Nru lacme-0.8.0/debian/changelog lacme-0.8.0/debian/changelog --- lacme-0.8.0/debian/changelog 2021-02-22 03:31:23.000000000 +0100 +++ lacme-0.8.0/debian/changelog 2021-05-04 01:37:13.000000000 +0200 @@ -1,3 +1,11 @@ +lacme (0.8.0-2) unstable; urgency=medium + + * d/lacme.postrm: Don't delete system users on purge. There might be files + on disk owned by _lacme-client when 'challenge-directory' is set in the + configuration (closes: #988032). + + -- Guilhem Moulin <guilhem@debian.org> Tue, 04 May 2021 01:37:13 +0200 + lacme (0.8.0-1) unstable; urgency=low * New upstream release (closes: #970458, #970800, #972456). diff -Nru lacme-0.8.0/debian/lacme.postrm lacme-0.8.0/debian/lacme.postrm --- lacme-0.8.0/debian/lacme.postrm 2021-02-22 03:31:23.000000000 +0100 +++ lacme-0.8.0/debian/lacme.postrm 1970-01-01 01:00:00.000000000 +0100 @@ -1,15 +0,0 @@ -#!/bin/sh - -set -e - -if [ "$1" = "purge" ]; then - if getent passwd _lacme-www >/dev/null; then - deluser --quiet --system _lacme-www - fi - if getent passwd _lacme-client >/dev/null; then - deluser --quiet --system _lacme-client - fi -fi - -#DEBHELPER# -exit 0Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 988216-done@bugs.debian.org
- Subject: unblock lacme
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Fri, 07 May 2021 20:31:12 +0000
- Message-id: <E1lf77w-0005uB-Ll@respighi.debian.org>
Unblocked.
--- End Message ---