Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: syst...@packages.debian.org Control: affects -1 + src:systemd
I'd like to get the release team's approval for a proposed change to bookworm's libnss-myhostname and libnss-mymachines packages, which are both generated from src:systemd. Note that since the systemd maintainers have already uploaded a new package targeting bookworm 12.6, this change will likely get rolled up into whatever their next planned upload is; I don't expect them to make an upload for this change specifically. Per their request, I'm looking for signoff from the stable release managers that this change would be accepted. Consequently, the diff shown here does not include a changelog update, as this would be generated by gbp. Additional context, along with the details of the testing performed, is available in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072380 and https://people.debian.org/~noahm/bug-1072380-testing.html The problem being addressed with this change is that the installation of libnss-myhostname and libnss-mymachines packages inserts their entries in a suboptimal order in /etc/nsswitch.conf. This results in unnecessary DNS queries for names that can and should be handled locally by these NSS modules. Impact includes leaking local container names to the DNS infrastructure and potential delays while waiting for DNS answers that will never come. The issue was reported in the context of the bookworm cloud images, which install libnss-myhostname by default, in bug #1072380. It is also the root cause of #825438 and #851314. It was fixed in sid/trixie with https://salsa.debian.org/systemd-team/systemd/-/merge_requests/162, uploaded in systemd 256~rc3-3. The changes in this MR cherry-pick cleanly to the bookworm packaging. The proposed change only impacts fresh installations of the impacted packages, not upgrades, which is consistent with how the packages in trixie behave. The complete set of proposed changes follows: commit b2e84c688b1c50e87761c4a9d9e28cbb7c97a116 (HEAD -> bookworm-nss, fork/bookworm-nss) Author: Gioele Barabucci <gio...@svario.it> Date: Wed Aug 10 16:35:58 2022 +0200 d/libnss-mymachines.nss: Install before `resolve` and `dns` Installing `mymachines` before `dns` and `resolve` (whatever comes first) is suggested in the manpage. It also avoids leaking information about local machines to the DNS resolver. Closes: #825438 Closes: #851314 (cherry picked from commit 98b7abdc1fc9ae5ecaaeb3a1fad332522b19501b) diff --git a/debian/libnss-mymachines.nss b/debian/libnss-mymachines.nss index dd7e3a1745..ff7213d021 100644 --- a/debian/libnss-mymachines.nss +++ b/debian/libnss-mymachines.nss @@ -1 +1 @@ -hosts last mymachines +hosts before=resolve,dns mymachines commit 5e48855c2f2906e338d5c64bd0941c1eef6574af Author: Gioele Barabucci <gio...@svario.it> Date: Thu Aug 11 14:28:50 2022 +0200 d/libnss-myhostname.nss: Install after `files` (cherry picked from commit a0e7eede9ba115500b0fbe79ce1107458683dc6c) Closes: #1072380 diff --git a/debian/libnss-myhostname.nss b/debian/libnss-myhostname.nss index 0ef4054806..9ed4b628e2 100644 --- a/debian/libnss-myhostname.nss +++ b/debian/libnss-myhostname.nss @@ -1 +1 @@ -hosts last myhostname +hosts after=files myhostname
