Package: redmine Version: 0.9.2-2 Severity: serious Justification: Policy 9.1.1 FHS chapter 4
The plugin_assets directory is expected to be writable by the user running Redmine. In the Debian redmine package, this is currently /usr/share/redmine/public/plugin_assets. The package scripts acknowledge this by making directory writable by www-data, but writing to /usr at runtime is not allowed per the FHS, and will cause problems on systems where /usr is mounted read-only (which is acceptable per Debian policy). I expect the solution would be to put plugin_assets somewhere in /var and create a symbolic link pointing to it. This may cause problems on Apache systems where symbolic links are disallowed, but this could be worked around using an "Alias" directive in the example Apache configurations. On a related note: This part isn't a policy violation (that I know of), but I figured I should mention that the package also creates "/usr/share/redmine/public/plugin_assets/README" and "/usr/share/redmine/db/schema.db" at config time, untracked by dpkg. These files get removed at "purge" time via "rm -rf /usr/share/redmine", but this seems a bit heavy-handed, since people might have installed plugins there. I wonder if it would be better to delete these files, perhaps as part of the "prerm" script (or even at the end of the "config" script), such that dpkg can clean up /usr/share/redmine on its own? (Just throwing this out there. It's minor and optional enough that I didn't want to bother you with a second "wishlist" bug.) -- System Information: Debian Release: 5.0.3 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages redmine depends on: ii dbconfig-common 1.8.39 common framework for packaging dat ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libjs-prototype 1.6.1-1 JavaScript Framework for dynamic w ii libjs-scriptaculous 1.8.3-1 JavaScript library for dynamic web ii rails 2.2.3-2 MVC ruby based framework geared fo ii rake 0.8.7-1 a ruby build program ii redmine-pgsql 0.9.2-2 metapackage providing PostgreSQL d ii ruby 4.2 An interpreter of object-oriented ii ruby1.8 1.8.7.249-1 Interpreter of object-oriented scr Versions of packages redmine recommends: pn libapache2-mod-fcgid <none> (no description available) ii libfcgi-ruby1.8 [libfcgi-ruby 0.8.7-4.1 FastCGI library for Ruby Versions of packages redmine suggests: pn libopenid-ruby <none> (no description available) ii librmagick-ruby 2.5.2-1 ImageMagick API for Ruby pn libsvn-ruby <none> (no description available) ii thin 1.2.4-1 fast and very simple Ruby web serv -- debconf information excluded
signature.asc
Description: Digital signature
