sugarplum: modifies apache config without asking

Automatically imported from Debian bug report #268093 http://bugs.debian.org/268093

Message-Id: <email address hidden>
Date: Wed, 25 Aug 2004 22:54:13 +0200
From: christian mock <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: sugarplum: modifies apache config without asking

Package: sugarplum
Version: 0.9.10-3
Severity: serious
Justification: Policy 10.7.3

sugarplum's postinst, via the wwwconfig-common scripts (if available)
modifies httpd.conf files of apache, apache-ssl and apache-perl if
available, without asking or even informing the administrator.

this is a violation of the policy ch 10.7.3:

"[scripts] must not overwrite or otherwise mangle the user's
configuration without asking".

it can also, depending on configuration (i.e. if mod_rewrite is not loaded),
break the apache config, and as it restarts the apache servers after
modifying httpd.conf, this could result in a loss of service.

cm.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux trumm 2.4.22trumm+umlska #2 Sun Sep 21 01:48:15 CEST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages sugarplum depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
ii wenglish 2.0-2 English dictionary words for /usr/
ii wenglish [wordlist] 2.0-2 English dictionary words for /usr/
ii wgerman [wordlist] 2-13 The German dictionary for /usr/sha
ii wngerman [wordlist] 20010414-0.1 New German orthography dictionary

Message-ID: <email address hidden>
Date: Wed, 25 Aug 2004 18:15:38 -0400
From: sean finney <email address hidden>
To: christian mock <email address hidden>, <email address hidden>
Cc: Debian Developers <email address hidden>
Subject: Re: Bug#268067: sugarplum: modifies apache config without asking

--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

clone 268067 -1
reassign -1 wwwconfig-common
merge 268067 -1
thanks

hi christian,

i'm duplicating, reassigning, and merging the bug in question so that
it involves the maintainer of wwwconfig-common as well. all further
bug reports will include both packages.

On Wed, Aug 25, 2004 at 10:54:13PM +0200, christian mock wrote:
> sugarplum's postinst, via the wwwconfig-common scripts (if available)=20
> modifies httpd.conf files of apache, apache-ssl and apache-perl if=20
> available, without asking or even informing the administrator.
>=20
> this is a violation of the policy ch 10.7.3:
>=20
> "[scripts] must not overwrite or otherwise mangle the user's=20
> configuration without asking".

plus, it's the config of another package, which is a also no-no.

really, the problem is that debian hasn't standardized on a way for dynamic
web apps the likes of sugarplum to install/configure themselves with
webservers such as apache. many maintainer scripts go so far as to just
echo "Include foo >> /etc/apache/httpd.conf", which i think you'd agree
is pretty horrible.

as the maintainer, i made what i felt was the best choice i could
while still giving the user the drop-in install joy of dpkg/apt
by using an at least semi-standardized means for inclusion. this way,
when debian does develop a standard for such things (or decides that
such things must rely on the admin) wwwconfig-common could be patched
and the 40-50 packages using it would be brought in compliance. you might
want to follow up on a recent thread on the topic[1] -- at least it's
being actively discussed, and progress is being made on the issue.

i'm also going to cc debian-devel on this, to solicit more developer
opinion. my plan will be to either remove this functionality from my
package, or to work out a solution that at least prompts the admin for
what to do (ideally by patching wwwconfig-common).

 sean

[1] http://lists.debian.org/debian-devel/2004/08/msg01104.html

--=20

--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBLQ+KynjLPm522B0RAgEvAJ9Fiqd96uPxKh6GNQYUkPhRJnVwdwCghGyV
xCw3AfAhN4W+15rkz0z4Ai0=
=8Bga
-----END PGP SIGNATURE-----

--opJtzjQTFsWo+cga--

Message-ID: <email address hidden>
Date: Wed, 25 Aug 2004 20:15:42 -0400
From: sean finney <email address hidden>
To: <email address hidden>
Subject: [<email address hidden>: Re: Bug#268067: sugarplum: modifies apache config without asking]

--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

clone 268067 -1
reassign -1 wwwconfig-common
merge 268067 -1
thanks

oops, didn't cc control...

----- Forwarded message from sean finney <email address hidden> -----

Date: Wed, 25 Aug 2004 18:15:38 -0400
=46rom: sean finney <email address hidden>
To: christian mock <email address hidden>, <email address hidden>
Subject: Re: Bug#268067: sugarplum: modifies apache config without asking

clone 268067 -1
reassign -1 wwwconfig-common
merge 268067 -1
thanks

hi christian,

i'm duplicating, reassigning, and merging the bug in question so that
it involves the maintainer of wwwconfig-common as well. all further
bug reports will include both packages.

On Wed, Aug 25, 2004 at 10:54:13PM +0200, christian mock wrote:
> sugarplum's postinst, via the wwwconfig-common scripts (if available)=20
> modifies httpd.conf files of apache, apache-ssl and apache-perl if=20
> available, without asking or even informing the administrator.
>=20
> this is a violation of the policy ch 10.7.3:
>=20
> "[scripts] must not overwrite or otherwise mangle the user's=20
> configuration without asking".

plus, it's the config of another package, which is a also no-no.

really, the problem is that debian hasn't standardized on a way for dynamic
web apps the likes of sugarplum to install/configure themselves with
webservers such as apache. many maintainer scripts go so far as to just
echo "Include foo >> /etc/apache/httpd.conf", which i think you'd agree
is pretty horrible.

as the maintainer, i made what i felt was the best choice i could
while still giving the user the drop-in install joy of dpkg/apt
by using an at least semi-standardized means for inclusion. this way,
when debian does develop a standard for such things (or decides that
such things must rely on the admin) wwwconfig-common could be patched
and the 40-50 packages using it would be brought in compliance. you might
want to follow up on a recent thread on the topic[1] -- at least it's
being actively discussed, and progress is being made on the issue.

i'm also going to cc debian-devel on this, to solicit more developer
opinion. my plan will be to either remove this functionality from my
package, or to work out a solution that at least prompts the admin for
what to do (ideally by patching wwwconfig-common).

 sean

[1] http://lists.debian.org/debian-devel/2004/08/msg01104.html

--=20

----- End forwarded message -----

--+HP7ph2BbKc20aGI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBLSuuynjLPm522B0RAkQnAJ4oCY60HBz3S4aeT9AsHAWFV5tTdACfTmdC
cZ6aPY/bnapsd55a0aPnnvo=
=3Duu
-----END PGP SIGNATURE-----

--+HP7ph2BbKc20aGI--

Similar to 848

sugarplum (0.9.10-3ubuntu1) warty; urgency=low
 .
   * Remove the unecessary abomination of wwwconfig-common (Closes: #268093)
     (Warty #849)

Message-ID: <email address hidden>
Date: Wed, 1 Sep 2004 14:22:37 +0100
From: Thom May <email address hidden>
To: <email address hidden>

tags 268093 +patch
thanks

Hi,
the patch at
http://wwwconfig-common-must-die.no-name-yet.com/patches/sugarplum-no-wwwconfig-common.diff
removes wwwconfig-common usage and adds apache2 support to sugarplum.
Cheers,
-Thom

Message-ID: <email address hidden>
Date: Wed, 1 Sep 2004 17:15:34 +0200
From: Ola Lundqvist <email address hidden>
To: Thom May <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#268093: (no subject)

severity 268093 wishlist
thanks

Hello

I was not aware that this bug was assigned to wwwconfig-common at all.
I lower the severity to wishlist because I can not really agree that this
is a bug in wwwconfig-common.

And did you really want to file this information to the bug related
to wwwconfig-common and not the other "clone"?

Thanks for the information though.

On Wed, Sep 01, 2004 at 02:22:37PM +0100, Thom May wrote:
> tags 268093 +patch
> thanks
>
> Hi,
> the patch at
> http://wwwconfig-common-must-die.no-name-yet.com/patches/sugarplum-no-wwwconfig-common.diff
> removes wwwconfig-common usage and adds apache2 support to sugarplum.

Hmm what a domain-name. :)

Regards,

// Ola

> Cheers,
> -Thom
>

--
 --------------------- Ola Lundqvist ---------------------------
/ <email address hidden> Annebergsslingan 37 \
| <email address hidden> 654 65 KARLSTAD |
| +46 (0)54-10 14 30 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Message-ID: <email address hidden>
Date: Tue, 21 Sep 2004 10:06:38 +0200
From: Ola Lundqvist <email address hidden>
To: <email address hidden>
Subject: 268093 - patch

tags 268093 - patch
thanks

--
 --------------------- Ola Lundqvist ---------------------------
/ <email address hidden> Annebergsslingan 37 \
| <email address hidden> 654 65 KARLSTAD |
| +46 (0)54-10 14 30 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------