Hi, (disclaimer: I'm not a member of the release team.)
Hideki Yamane wrote (16 Oct 2012 20:03:34 GMT) : > On Fri, 12 Oct 2012 23:45:14 +0100 > "Adam D. Barratt" <a...@adam-barratt.org.uk> wrote: >> > +To enable Tomoyo as the MAC security, please specify parameter to >> > the kernel. >> > +By default, it will be done by package. >> >> That doesn't appear to be accurate, given: >> >> > +Template: tomoyo-tools/grub >> > +Type: boolean >> > +Default: false >> > +_Description: Enable TOMOYO Linux at boot time? > Well, users just answer "yes" with debconf, I mean. I believe that Adam means that in the "By default, it will be done by package" sentence introduced by the proposed change, the *By default* part is not matched by the actual implementation. After a glance at the diff, I can only concur: doing something by default is quite different from doing it iff. the user chooses a non-default answer to a medium-priority debconf question. Anyhow, the current implementation looks incomplete and quite fragile to me: > + if [ $RET = true ]; then > + sed -e > s/^GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"security=tomoyo\"/ \ > + -i /etc/default/grub && update-grub > + elif [ $RET = false ]; then > + sed -e > s/^GRUB_CMDLINE_LINUX=\"security=tomoyo\"/^GRUB_CMDLINE_LINUX=\"\"/ \ > + -i /etc/default/grub && update-grub > + fi Unless I'm mistaken, this code: * basically assumes it's the only one to manage GRUB_CMDLINE_LINUX, which is untrue: grub-pc maintainer scripts manage /etc/default/grub with ucf * assumes GRUB_CMDLINE_LINUX is initially empty, which may not be the case * does not support removing security=tomoyo in case other settings where added by the administrator (same in tomoyo-tools.postrm) (FTR, this kind of difficulties are why I did not introduce a similar semi-automatic enabling feature in the AppArmor package yet.) I think bugs should be filed against the version in unstable to track this issues. Once they are fixed, then an additional issue will arise: the code should also make sure only one security= parameter is passed to Linux. Therefore, I don't think the proposed update is suitable for testing at this time of the Wheezy release process. I recommend the release team rejects this request. Anyway, it would be awesome if the code and comments were fixed in unstable at some point. Unfortunately, I guess that will be too late for Wheezy. > Users should check package's README.Debian and modify > /etc/default/grub and run update-grub by hand if it's not > introduced this change. For better user friendly package, I want it > put to Wheezy. I appreciate your concern about usability. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85k3tt342s....@boum.org
