On Sun, 2015-03-22 at 20:35 +0000, Colin Watson wrote: > Anyway, I would appreciate it if people could refrain from filling my > mailbox further about this bug. :-) One last thing perhaps. O:-) > Due to what I view as historical errors, sshd_config doesn't really have > a single canonical state on all upgraded systems. If it had been a > dpkg-managed conffile from the start then that would have been much > better, but as it is we have to make do with what we have. Well maybe it's time to make a clear cut: - declare all previous configs no longer "handled" by future upgrades in stretch - create fresh default config, which also got rid of all other questionable Debian modifications - make it dpkg managed That could also greatly simplify the maintainer scripts. > Although I > would point out that if sshd_config had been dpkg-managed then there > would have been multiple grave bugs in the past about sshd failing to > start on upgrade due to people failing to notice the changes they had to > merge, so, you know, we kind of have to consider practicalities as well > as ideals here. Well if people don't read their NEWS.Debian files and their release notes it's simply their fault. You cannot just protect them from everything, and you make your own life as maintainer much harder... and others who do their admin homework kinda suffer as well. > I haven't had time to deal with it > over the last couple of days (Debian developer in having a social life > shocker!), but in brief I intend to revert the offending change in its > entirety as it's clearly causing far more trouble than it can possibly > be worth. I'll post further rationale when I get half a chance. Well I don't really care that much, as said my intention was just to improve defaults for others. But to be honest, and without intending to offend any of the others,... it kinda seems to me that people make a mountain out of a molehill. The change is really little, for well grounded security reasons it's actually intended by upstream that non env vars are send/accepted unless explicitly allowed by the admin. So people who complain now likely just abused that "hole" in Debian's default all the years, which is however no grant for a right to do so forever. It feels a bit like the systemd debate where a loud minority started an outcry about things which in reality probably didn't even affect them. Bye, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature