2010/4/15 Joey Hess <jo...@debian.org> > Allowing users to install a system with a noexec /var strikes me as a > bad idea, because such a system will require a knowledgeable admin to > intervene to allow it to upgrade, or install new packages. > > I think that partman should prevent the user from foot-shooting of this > magnitude. It should ensure that at least / /usr /tmp /var are not > noexec. (/tmp due to #223683) > > I totally agree with that, but as a similary thing, one can configure /usr read-only (for security reasons) The installation process does not break with /usr configured read only, and once you have rebooted, you HAVE to do some extra configuration (/etc/apt/apt.conf.d/... ok this works with apt, aptitude, synaptic but not with dpkg itself) to install / upgrade packages
My 2 cents ...
