On 18/03/2010 17:41, Bdale Garbee wrote: > On Wed, 17 Mar 2010 23:57:09 +0100, Jean-Christophe Dubacq > <jcduba...@free.fr> wrote: > > Thanks for the questions on IRC yesterday, and for this but report. > After some sleep and re-reading some of my changelog entries, this isn't > quite as simple as it seemed yesterday. > >> * I do not understand why /etc/sudoers is not simply a conffile, >> especially now that /etc/sudoers.d is supported. > > History and inertia, mostly. The current processing actually pre-dates > clean conffile handling by dpkg, and largely pre-dates my taking over > the sudo package from Michael Meskes in 1996. > > The one reason I can remember this morning to not just replace the > current handling without further thought is that removing sudoers on > purge can cause problems for people moving systems between sudo and > sudo-ldap. Leaving the sudoers file in place on a purge was deemed the > least evil choice the last time I reviewed this functionality in April > of 2007 in response to #401366.
However, since sudo and sudo-ldap conflicts with each other, if the rm is made on purge, it is not purged because of conflicts (only deinstalled). You could also have a sudo-common, which owns the files. And in fact, I think the best solution would be to do what some databases do, and would correspond to what you aim to do with the other files: namely, preventing losing root access for people using sudo as sole root access. Ask a question with debconf about whether /etc/sudoers should be deleted on purge, and if it is "yes", then delete. People having a root password will gladly say it should be cleaned, and people going to some length to have no root password will simply say no. But well, it is more work. >> * the stanza with update-rc.d looks like it will not change anything > > In most cases, it won't. The code is there because a very old version > of sudo created an inappropriate set of links for the startup script > fragment. This stanza caused any lingering instances of that mess to be > cleaned up. It has been enough years that we can probably remove that > code with no penalty... but it certainly does no harm. In fact, what I meant is: "It won't do anything because the man page for update-rc.d says: ~When invoked with the remove option, update-rc.d removes any links in ~the /etc/rcrunlevel.d directories to the script /etc/init.d/name. The ~script must have been deleted already. If the script is still present ~then update-rc.d aborts with an error message. which means that in the postinst (where the script is always present), it will never do anything. Anyway, nice having some explanations. I feel more knowledgeable tonight. Sincerly, -- Jean-Christophe Dubacq -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
