Your message dated Thu, 05 Apr 2018 17:20:05 +0000 with message-id <[email protected]> and subject line Bug#299007: fixed in debian-policy 4.1.4.0 has caused the Debian Bug report #299007, regarding Transitioning perms of /usr/local to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 299007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=299007 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: tech-ctte Severity: normal This is a delegation of the resolution of Bug#299007 to the Technical Committee under points 1 and 3 of section 6.1 of the Constitution. As Policy delegate, I am not comfortable making a final decision either way on this bug and ask that the tech-ctte please make a binding decision. The dispute is over the following text in Debian Policy: The `/usr/local' directory itself and all the subdirectories created by the package should (by default) have permissions 2775 (group-writable and set-group-id) and be owned by `root.staff'. The proposed change is to state instead that the /usr/local directory itself and all the subdirectories created by the package should (by default) have permissions 755 and be owned by root:root. The contention in this proposal is that the current Policy-mandated behavior represents a potential security vulnerability since it allows elevation of a compromise of group staff to a root compromise since /usr/local/bin is in root's default path. The counter-contention is that the staff group is empty by default and it is up to the local system administrator to extend that privilege in a way consistent with the local site security policy. https://launchpad.net/bugs/13795 is the corresponding Ubuntu bug. According to that bug log, Ubuntu has chosen to diverge from Debian on this point. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: debian-policy Source-Version: 4.1.4.0 We believe that the bug you reported is fixed in the latest version of debian-policy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sean Whitton <[email protected]> (supplier of updated debian-policy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Apr 2018 09:08:16 -0700 Source: debian-policy Binary: debian-policy Architecture: all source Version: 4.1.4.0 Distribution: unstable Urgency: medium Maintainer: Debian Policy Editors <[email protected]> Changed-By: Sean Whitton <[email protected]> Closes: 299007 515856 742364 881431 886890 888437 889167 889960 892142 Description: debian-policy - Debian Policy Manual and related documents Changes: debian-policy (4.1.4.0) unstable; urgency=medium . [ Sean Whitton ] * Policy: Drop get-orig-source rules target Wording: Helmut Grohne <[email protected]> Seconded: Holger Levsen <[email protected]> Seconded: Niels Thykier <[email protected]> Closes: #515856 * Policy: Update required permissions for /usr/local Wording: Santiago Vila <[email protected]> Seconded: Don Armstrong <[email protected]> Seconded: Ian Jackson <[email protected]> Seconded: Russ Allbery <[email protected]> Closes: #299007 * Policy: Document debian/missing-sources Wording: Sean Whitton <[email protected]> Seconded: Holger Levsen <[email protected]> Seconded: Gunnar Wolf <[email protected]> Closes: #742364 * Policy: Uniqueness of version numbers Wording: Sean Whitton <[email protected]> Seconded: Simon McVittie <[email protected]> Seconded: Holger Levsen <[email protected]> Closes: #881431 * Update recommendations dh_systemd_* -> dh_installsystemd (Closes: #889167). Thanks Chris Lamb for the report. * Fix some typos (Closes: #886890). Thanks Sebastian Rasmussen for the patch. * Fix some errors in shell script snippets caused by the rST conversion script (Closes: #888437). Thanks Yao Wei for the patch. * Fix version of init-system-helpers required for `defaults-disabled` option from 1.5.0 to 1.50. Thanks to GengYu Rao for noting this on the debian-policy list. * Fix indentation of description of the clean target (Closes: #889960). Thanks Ferenc Wágner for the report. . [ Jonathan Nieder ] * Use default-mta instead of exim in dependency example (Closes: #892142). Thanks to Paul Wise for the report. Checksums-Sha1: ef1dc5fd8a3ceb38c8deace04558c671bea95f25 2001 debian-policy_4.1.4.0.dsc a1e805333f756765570c27ff89a4fdd7eaf05363 677108 debian-policy_4.1.4.0.tar.xz 56dcdb6f05815c3456b56e10c519a3db18ee5992 2387292 debian-policy_4.1.4.0_all.deb 56d2b860d72ff9de0ac7ca37e84db816bf8e2d76 12126 debian-policy_4.1.4.0_amd64.buildinfo Checksums-Sha256: 53b8f08ffbf1689ab2e97bb3b1586df0a4d4d8a480b9c4ba1de798b7257bf8fe 2001 debian-policy_4.1.4.0.dsc 023608b73abeb2d75c9dc64ce58761b5da30a7017f6db5f01a573f33e2e3a7c3 677108 debian-policy_4.1.4.0.tar.xz 6e9005245aee6e8c51f8c85a4c035e382e0861415459eae0263b41014818a0d8 2387292 debian-policy_4.1.4.0_all.deb 1818cd12a58b0770e0d9b75561779325b74841e4b2af5727ff7aca9694c8727f 12126 debian-policy_4.1.4.0_amd64.buildinfo Files: a8bb9047202d77c74e5b4bd30a160f4e 2001 doc optional debian-policy_4.1.4.0.dsc 8a80b4e16c6c15e4d1c5dfd645bc2d57 677108 doc optional debian-policy_4.1.4.0.tar.xz 9537b38c53706d8d59f771f720a3f406 2387292 doc optional debian-policy_4.1.4.0_all.deb e2982e5cb7400de55a59cb24e5b1dfb7 12126 doc optional debian-policy_4.1.4.0_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAlrGSuYACgkQaVt65L8G YkCxZA/+Ptlcjykqq2YXiEUw1MLJl37L2hUf8elybjCmDQtyjjYdHGQxw092Af6P R/jT3QTHt07Fd/Ch8PjIM2e3TYtNakhUFX4MG4edmXvCj/teXnv3FL+YFdm1swoG jTwEeuirJCHosTZ7OCsCuWNDMw/a16sy32qTbfilm5NWLHvYYqzvjPyg4w08UEdS hpMhAW9T4k5zyvrOPwmjqFrAAhCpsK55uorTIOnBZ08hTXGEydXpdOtdnzUToFC+ 7L+wVIojR9Iu1/IMkobLKD7fAIlCXpCPy0zI80xaTZTa+NK500rVyjsKqM4E9Pil b7N228E7UCVX0ZD15c4ZRGK/3/vyvmef0faqKRiSttXq6k1MmmNcGNBBRUnxlWK9 MZH6fDmJ0cqgXE+6HkzC8M/x6yNvFYtEiH9klZvNK/Q8cRICu9Uc1uIRj9UfXgU2 /wI8IfHZ9zDUORLPFNMyOozNiPOMjJP9KAtCATzViddPlM/d0HlwX5j/nvLPO97/ YpE6hpWwukv7i8bT5c4WdTCoAYAlaVWcyaf4bA/fUn9LOSx5VClY1leiQLWfXauz BXJcCNLcnNzyprGGQ5YCj4qG5Sfw/8P+S9fW9zj0ErfylX1mZo4kE863L1FlW7Zu IRtIy+lYd9rfGLo6WdfhczHUBUpzCw9A0idQ1rYZZ/Rwju/Ds7g= =TMzb -----END PGP SIGNATURE-----
--- End Message ---
