"Fix" of sudo with DSA-946-1
Hi,
Allow me to step on my little soap box here.
As many users of the sudo package, I also found that sudo was broken
after a apt-get upgrade. Apparently, the "fix" of DSA-945-1 was the culprit.
Reading through the announcement, I think the security team made the
right decision to solve this, and releasing a patch. They can (and
should!) be complimented for that. However, I feel that they gravely
underestimated the impact of the "fix" on the average user. I short: the
package is broken. See for example the many bugs that people have filed
last week: #349085, #349196, #349286, #349549, #349587, #349729, and
#349999. People, in short, do not expect that a package severly changes
behaviour if they use "stable".
The correct action in this case, IMHO, should have been to apply the
patch (of course!), but also add a postinst script, which gives a BIG
warning telling people that they need to change /etc/sudoers
The postinst script by kernel-image-* packages are examples of how it
should have done. I sincerely hope that we will shortly see a
sudo_1.6.8p7-1.4 which has such a warning.
I also recommend to that a look at bug #349129:
"The new behaviour regarding env sanitising is not reflected in the
sudoers or the sudo manpages and there is no news.debian file in the
sarge package; one must read the security announcement very precisely
to find out how to deal with the change."
Thank you for listening to my little rant.
I better stop here, before it turns into a nice, cozy flame war ;-)
With kind regards,
Freek
Reply to: