Bug#339978: marked as done (ssh: upgrades from sarge stop due to conffile changes)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 23 Dec 2006 10:33:56 +0000
with message-id <20061223103356.GH28442@riva.ucam.org>
and subject line Bug#335276: openssh conffile prompt: /etc/ssh/moduli
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: debian bugs <submit@bugs.debian.org>
• Subject: ssh: upgrades from sarge stop due to conffile changes
• From: Lars Wirzenius <liw@iki.fi>
• Date: Sun, 20 Nov 2005 02:25:14 +0200
• Message-id: <1132446314.5500.87.camel@esme.liw.iki.fi>

Package: ssh
Version: 1:4.2p1-5

When testing upgrades of blacs-test-common from sarge to etch I ran into
trouble with ssh:

  Setting up openssh-client (4.2p1-5) ...

  Configuration file `/etc/ssh/ssh_config'
   ==> File on system created by you or by a script.
   ==> File also in package provided by package maintainer.
     What would you like to do about it ?  Your options are:
      Y or I  : install the package maintainer's version
      N or O  : keep your currently-installed version
        D     : show the differences between the versions
        Z     : background this process to examine the situation
   The default action is to keep your current version.

Note that since this was all done without touching any conffiles, it
would seem that a smooth upgrade from sarge isn't currently possible.
Would it be possible to twiddle things around in ways that make it
possible, at least for people who haven't touch their ssh conffiles?

-- 
Do, or do not. There is no angst.

--- End Message ---

--- Begin Message ---

• To: 335276-done@bugs.debian.org
• Subject: Re: Bug#335276: openssh conffile prompt: /etc/ssh/moduli
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 23 Dec 2006 10:33:56 +0000
• Message-id: <20061223103356.GH28442@riva.ucam.org>
• In-reply-to: <[🔎] 20061214190345.GA7974@webmin.steelfarms.net>
• References: <[🔎] 20061214172010.GA17309@webmin.steelfarms.net> <[🔎] 20061214190345.GA7974@webmin.steelfarms.net>

On Thu, Dec 14, 2006 at 02:03:45PM -0500, Justin Pryzby wrote:
> On Thu, Dec 14, 2006 at 12:20:10PM -0500, Justin Pryzby wrote:
> > reopen 335276
> > found 335276 1:4.3p2-7
> > thanks
> > 
> > I'm afraid this just happened again, this time with /etc/ssh/moduli.
> > I don't know what this file does.  Should it be included with the package?

Yes; it's used for Diffie-Hellman group generation by both ssh-keygen
and sshd. It has a man page and everything ...

> > It it modified somehow, somewhen?

1:4.3p2-7 changed it by request in bug #335259. It is not edited by
maintainer scripts.

> > 2006-12-14 11:36:32 upgrade openssh-server 1:4.3p2-6 1:4.3p2-7
> > 
> > $ md5sum /etc/ssh/moduli* openssh-client-1\:4.3p2-6/etc/ssh/moduli
> > 45e8268b1994ab38d5309eed05ba003c  /etc/ssh/moduli
> > 085771ebb2b6cfe60b84ad094de0788a  /etc/ssh/moduli.dpkg-old
> > d93b0dd7a654a68e39361caff3f3061e  openssh-client-1:4.3p2-6/etc/ssh/moduli

Well, that almost certainly indicates that you modified it
inadvertently, perhaps in the process of resolving a previous conffile
prompt from an upgrade before this bug was fixed. Please only reopen
this bug if you can demonstrate that it was a truly unmodified conffile.

Not *all* conffile prompts are bugs - only those where the admin
genuinely never touched the conffile. openssh's maintainer scripts don't
touch that file other than sometimes removing it to work around the old
dpkg bug that was the original cause of this bug report.

> This seems to be related to #335259; but, I'm somewhat confused, since I was of
> the impression that the test was:
> 
>   if [ md5sum(new-conffile) = dpkg-status-md5 ]
>     # Do nothing; the maintainer did not update the conffile
>   else if [ md5sum(file-on-disk) = dpkg-status-md5 ]
>     # The maintainer changed the conffile, but the admin did not
>     install_new_file
>     echo "Installed new file"
>   else
>     # Both the admin and the maintainer changed it
>     conffile_prompt
>   endif
> 
> This algo should hit the second case and display an informative message, but
> not prompt.
> 
> A possibly solution might be to
>   grep -v '^#    $OpenBSD' |md5sum |sed

All the logic above is in dpkg, not openssh, so hardcoding OpenBSD would
make no sense. There is absolutely no way I'm going to edit
/var/lib/dpkg/status from openssh's maintainer scripts, if that's what
you're suggesting.

> I note another case which could be added after the first, avoiding some
> needless prompts:
> 
>   else if [ md5sum(file-on-disk) = md5sum(new-conffile) ]
>     # The admin may have changed the conffile, but the contents are identical
>     # to the maintainer's new version
>     install_new-conffile

Perhaps you should look at dpkg/src/configure.c, which already contains
such a test.

                        if (!strcmp(currenthash,newdisthash)) {
                                /* They're both the same so there's no point asking silly questions. */
                                useredited= -1;
                                distedited= -1;
                                what= cfo_identical;
                        }

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---