Re: Reporting a bug that affects more than one package

[Terry Roy <tech@futurecourse.com>]

On 21/12/2017 19:18, Ben Finney wrote:
> Terry Roy <tech@futurecourse.com> writes:
>
> > I found a bug in Debian's latest 9.3 update where the postinst script
> > of a package contained the line:
> >
> > "su - username do something...."
>
> I've just run this command:
>
>      grep "su - " /var/lib/dpkg/info/*
>
> which returned no results on a system with thousands of packages
> installed. So I tentatively conclude that it's not a common pattern.

I've never run across it before although based on one of the bug reports 
I filed, others have. It's peculiar only to systems with files in 
/etc/profile.d. I've another server, virtually identical with respect to 
packages but with no file in /etc/profile.d and haven't experienced the 
issue.

> > I've just run across it again on a fresh install of another package.
> > I've reported that bug but clearly this seems to be an issue involving
> > the use of "su -" in postinst.
>
> You should proceed this way, IMO. Report a bug against each package that
> uses that invocation.
>
>
> I note that a similar pattern, invoking ‘su’ to run commands as another
> user, is in the ‘postgresql-common’ package:
>
>      su -s /bin/sh postgres -c "… more commands …"
>
> If you alter the postinst script to use that pattern instead, does it
> avoid the problem you describe? If so, you can suggest that to the
> package maintainer.

I have reported it for both sa-compile and tuptime. postgres hasn't 
cause us any problems since the -s is just specifying which shell. I 
believe the issue has to do with the fact that the hyphen makes it an 
interactive shell as opposed to not using the hyphen which just executes 
the command. I also found it in the spamassassin package so will report 
it there as well.

The debconf-doc package seems to contain a lot of information about 
using postinst so I'll file a report there as well.

Thanks.

--
Terry