Debian Bug report logs - #36972
dpkg: dpkg can remoev vital files/symlinks without warning adminitrator

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Lamb <morpheus@rpglink.com>

To: submit@bugs.debian.org

Subject: dpkg: dpkg can remoev vital files/symlinks without warning adminitrator

Date: Fri, 30 Apr 1999 14:46:50 -0700

Package: dpkg
Version: 1.4.1.1
Severity: Critical

    While updating listar from .118a to .121a dpkg removed symlinks which
were vital for listar to operate.  This is because the maintainer had
changed how his configuration worked and did not warn the administrator in
the upgrade that a major change was forthcoming.

    Regardless of the semantics of this issue it raises the concertn that
dpkg is deleting files/directories and symlinks based on the false
assumption that if the maintainer is not using the links/files/directories,
neither is (or should) the individual administrators.  This can lead to any
package, at any time, breaking based on such a false assumption.

    It is my opinion that dpkg, on an upgrade, should *NOT* remove any
file/directory/link without first prompting the maintainer in the same
manner that it prompts for action when it comes to the configuration file.

-- System Information
Debian Release: potato
Kernel Version: Linux teleute 2.2.6 #4 Sat Apr 24 23:07:04 PDT 1999 i586 unknown

Versions of the packages dpkg depends on:
hi  libc6           2.0.7.19981211 GNU C Library: shared libraries
hi  libncurses4     4.2-3          Shared libraries for terminal handling
hi  libstdc++2.9    2.91.61-1      The GNU stdc++ library (egcs version)

Message #10 received at 36972@bugs.debian.org (full text, mbox, reply):

From: Ben Collins <bcollins@debian.org>

To: Steve Lamb <morpheus@rpglink.com>, 36972@bugs.debian.org

Subject: Re: Bug#36972: dpkg: dpkg can remoev vital files/symlinks without warning adminitrator

Date: Fri, 30 Apr 1999 18:18:49 -0400

On Fri, Apr 30, 1999 at 02:46:50PM -0700, Steve Lamb wrote:
> Package: dpkg
> Version: 1.4.1.1
> Severity: Critical
>
>     While updating listar from .118a to .121a dpkg removed symlinks which
> were vital for listar to operate.  This is because the maintainer had
> changed how his configuration worked and did not warn the administrator in
> the upgrade that a major change was forthcoming.
>
>     Regardless of the semantics of this issue it raises the concertn that
> dpkg is deleting files/directories and symlinks based on the false
> assumption that if the maintainer is not using the links/files/directories,
> neither is (or should) the individual administrators.  This can lead to any
> package, at any time, breaking based on such a false assumption.
>
>     It is my opinion that dpkg, on an upgrade, should *NOT* remove any
> file/directory/link without first prompting the maintainer in the same
> manner that it prompts for action when it comes to the configuration file.

So let me get this straight, if tetex moves it's files from (not sure
if it's the right dir, but...) /usr/lib/tex to /usr/lib/tetex then you
want dpkg to prompt you for all (possibly) hundreds of files that it is
removing?

If a package breaks on an upgrade, it is the packages fault. dpkg can
only be but so smart about these things.

--
-----    -- - -------- --------- ----  -------  -----  - - ---   --------
Ben Collins <bcollins@debian.org>                        Debian GNU/Linux
OpenLDAP Dev - bcollins@openldap.org     The Choice of the GNU Generation
------ -- ----- - - -------   ------- -- ---- - -------- - --- ---- -  --

Message #15 received at 36972@bugs.debian.org (full text, mbox, reply):

From: "Steve Lamb" <morpheus@rpglink.com>

To: "36972@bugs.debian.org" <36972@bugs.debian.org>, "Ben Collins" <bcollins@debian.org>

Subject: Re: Bug#36972: dpkg: dpkg can remoev vital files/symlinks without warning adminitrator

Date: Fri, 30 Apr 1999 15:29:45 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 30 Apr 1999 18:18:49 -0400, Ben Collins wrote:

>So let me get this straight, if tetex moves it's files from (not sure
>if it's the right dir, but...) /usr/lib/tex to /usr/lib/tetex then you
>want dpkg to prompt you for all (possibly) hundreds of files that it is
>removing?

    Or at least the single warning.

>If a package breaks on an upgrade, it is the packages fault. dpkg can
>only be but so smart about these things.

    Well, I'm in an argument with the maintainer of listar right now about
his package breaking my installation of listar.  This is because he lobbied
the Listar folks to have listar define where to find different things.  Then
in .119a he removed the symlinks which made pre-.119a versions work.  Without
warning from him, the symlinks were removed.  He is saying that it is not his
fault because the "fix" is to merge in the config file in.  My point is that
it worked before, if the symlinks were still there, it would work after, and
I would prefer that dpkg not guess as to what I intended with those symlinks
because I did like them there and prefered them there.

    This, however, brings in the problem that pkg will blindly delete
anything which it thinks is there and it thinks is no longer needed.  So,
yes, it would be a pain when tex move things over into tetex, to use your
example.  But what if I install files that dpkg later overwrites and then
removes during an upgrade but I need elsewhere?  If it drops symlinks that
scripts of mine use?  
By heavy-handedly making the assumption that *EVERYTHING* that the
administrator of the system intended is in dpkg a situation is made where
catastrophic breaks are iinevitable

    I agree with you, a per file query would be bad.  But I do not think that
an accounting of such changes in a single query would be out of line either. 
Believe you me, if *something*, either GGoerzen'spackage or dpkg itself told
me that files/links were going to be moved/destroyed and gave me the option
to look over the changes, I would not have lost the 2 days of list mail that
I did.

    So what I am proposing is that if dpkg is going to remove links,
directories or files on an upgrade (not install, deinstall, or purge) which
can have an effect on compatibility it throw up a prompt stating just that
with the option to look over the changes.  I don't think many of the packages
will be removing files on an upgrade.

    Like I said, though, the main concern I have is that something that an
administrator had, preexisting to dpkg, can be overwritten and later removed
by dpkg even though dpkg it not supposed to remove original work by the
administrator unintentionally.

- -- 
         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
         ICQ: 5107343          | main connection to the switchboard of souls.
- -------------------------------+---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.0 (C) 1997 Pretty Good Privacy, Inc

iQA/AwUBNyou2Hpf7K2LbpnFEQJcQgCaArsAgdIubS7VZqjlG9P7EiA/7OMAn1U1
IzgMuCOd9Z7fHlrlhsbm+i3N
=n6Qr
-----END PGP SIGNATURE-----

Message #20 received at 36972@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: 36972@bugs.debian.org, dpkg@packages.debian.org

Subject: Re: Bug#36972: dpkg: dpkg can remoev vital files/symlinks without warning adminitrator

Date: 30 Apr 1999 17:49:14 -0500

Steve Lamb writes:

> Package: dpkg
> Version: 1.4.1.1
> Severity: Critical
> 
>     While updating listar from .118a to .121a dpkg removed symlinks which
> were vital for listar to operate.  This is because the maintainer had
> changed how his configuration worked and did not warn the administrator in
> the upgrade that a major change was forthcoming.

Must this be rehashed AGAIN...  For those that don't know, Lamb has
been bugging me about this for some time.

Let me explain the situation and why dpkg is NOT at fault.

In Listar 0.119a, the upstream package acquired new capabilities for
specifying pathnames for files in its configuration files.  This means 
that the mess of symlinks previously required were no longer
necessary.  A small change in /etc/listar/listar.cfg (a listed
conffile) makes those symlinks unnecessary.

Steve ignored dpkg's prompts about /etc/listar/listar.cfg when he
upgraded his listar package.  He then claimed that the symlinks should 
not have disappeared; that I ought to keep them in the .deb ad
naseum.  He complained that the symlink disappearance caused his
server to break.  However, others upgraded the package successfully,
and despite removing the symlinks in the .deb, managed to make it work 
by properly updating their config files as dpkg asked.

Therefore, I believe that this is not a bug in dpkg, much less a
critical one, and can be summarily closed.  dpkg did exactly what it
was supposed to.  Furthermore, if the admin is prompted everytime a
file moves, is renamed, or disappears, people will never be able to
get their upgrades done.

I did not change how the configuration worked; there was a minor
change to listar.cfg.  dpkg did warn the administrator about the
change; there was no need for me to duplicate that.  He simply ignored 
the warnings.  Those symlinks were not "vital for listar to operate"
after the upgrade.

The assumption that the maintainer is not using the
files/links/directories is correct if they are no longer present in
the .deb.  If they were present before, and no longer are, then
obviously they are not to be used any longer and *should* be unlinked.

Message #25 received at 36972@bugs.debian.org (full text, mbox, reply):

From: "Steve Lamb" <morpheus@rpglink.com>

To: "36972@bugs.debian.org" <36972@bugs.debian.org>

Subject: Re: Bug#36972: dpkg: dpkg can remoev vital files/symlinks without warning adminitrator

Date: Mon, 03 May 1999 12:33:42 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>Steve ignored dpkg's prompts about /etc/listar/listar.cfg when he upgraded his 
>listar package.

    There was no warning that stated that there was a major change from
previous versions, that files/symlinks/directories vital to the operation of
the program were going to be removed.  It was the standard "new
configuration" prompt which in nearly EVERY case can be safely ignored.  In
fact, Listar is the first package in the year+ I've been using Debian which
broke so utterly.

>Furthermore, if the admin is prompted everytime a file moves, is renamed, or 
>disappears, people will never be able to get their upgrades done.

    Not every file, every time.  Only a prompt that dpkg has detected
files/directories/symlinks that are no longer support and will remove them
*IF* the administrator agrees.  

    Why did I file this against dpkg and not the listar package?  Because
Goerzen insists that dpkg is acting according to its design.  That means any
package can remove vital symlinks/directories/files without prior warning to
the administrator.

    Goerzen is only looking at the little picture.  He is seeing that Listar
removed symlinks that are no longer needed on his system or in the deb. 
However, as any person who works as an admin on a system knows, what is
packaged is not the whole picture.

    My concern lays in what the administrator has built up around those
packages.  Listar, in this case, broke with no warning.  *NONE*.  If I had
made any scripts for Listar based on the .119a package, they, too, would have
broken.  Furthermore, my main concern is what happens when a maintainer and a
sysadmin have convergence on the naming of symlinks, files and/or
directories?  The administrators pre-existing local configuration being
overwritten by a package's own symlinks/files/directories and later being
removed.  In this case, dpkg assumes that it is the only thing using those
items when, in fact, it is not.  Such a situation can and will lead to
systems breaking in the future without just cause or warning to the
administrators of said systems.

    What the workaround for this situation is, I do not know.  I am
suggesting a warning that files/directories/symlinks are going to be moved. 
That may be too harsh.  Maybe only when files/symlinks change, or just
symlinks since they are used mostly in a "glue" fashion and one really cannot
predict what the local administrator intends with them.  Further, let me
stress that this prompting would only occur during an upgrade.  Most upgrades
on most packages will not be moving the locations of
files/symlinks/directories.

>The assumption that the maintainer is not using the
>files/links/directories is correct if they are no longer present in
>the .deb.  If they were present before, and no longer are, then
>obviously they are not to be used any longer and *should* be unlinked.

    Finally, when is it ever a sane policy to say that when the *maintainer*
is done with the files/symlinks/directories that they local *administrators*
are done with those same files/symlinks/directories.  I agree that they
should be removed *if* the local administrator agrees.  At no time do I ever
forsee any packaging system being programmed so well, and a maintainer who
has never seen the machine these packages are running on, know better than
the local administrator what is and is not important to remove during a
cursory upgrade.

- -- 
         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
         ICQ: 5107343          | main connection to the switchboard of souls.
- -------------------------------+---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.0 (C) 1997 Pretty Good Privacy, Inc

iQA/AwUBNy36Fnpf7K2LbpnFEQK45gCeI2deQNxgpNtnDuvM0d+FAKfjUxoAoOwI
FYBoA/YFThb2DxKkqmOyCMjt
=kTy+
-----END PGP SIGNATURE-----

Message #30 received at 36972@bugs.debian.org (full text, mbox, reply):

From: kaih@khms.westfalen.de (Kai Henningsen)

To: 36972@bugs.debian.org

Subject: Re: Bug#36972: dpkg: dpkg can remoev vital files/symlinks without warn

Date: 20 May 1999 09:23:00 +0200

morpheus@rpglink.com (Steve Lamb)  wrote on 03.05.99 in <E10eOVW-0000k6-00@rpglink.com>:

>   It was the standard "new
> configuration" prompt which in nearly EVERY case can be safely ignored.

That is a pretty startling assertion.

I'd say that this prompt can *never* be safely ignored.

Maybe the package won't break if you do. But chances are it will change  
it's behaviour in unpredictable ways. I've seen countless examples of  
this.

That's why there *is* such a prompt, after all. If it were safe to ignore,  
there would be no good reason to have it in the first place.

In fact, if this were a report about one of my packages, I'd probably say  
the above assertion alone is a reasn to close the bug as a clear pilot  
error.

>     My concern lays in what the administrator has built up around those
> packages.  Listar, in this case, broke with no warning.  *NONE*.

Given your above assertion, this is obviously untrue, *and you know it*.

MfG Kai

Message #35 received at 36972@bugs.debian.org (full text, mbox, reply):

From: Antti-Juhani Kaijanaho <gaia@iki.fi>

To: control@bugs.debian.org

Cc: 36972@bugs.debian.org

Subject: Downgrading bug 36972 severity (dpkg: dpkg can remoev vital files/symlinks without...)

Date: Mon, 24 May 1999 12:34:15 +0300

severity 36972 wishlist
thanks

This bug does not:
  * make unrelated packages (or the whole system) break
  * cause serious data loss
  * introduce security holes compromising a system
  => not critical
  * make the package in question [dpkg in this case] unusable or mostly so
  * cause data loss 
  * introduce security holes compromising a user account
  => not grave
  * make the package [dpkg] unsuitable to release
  => not important
  
I quote the bug submitter, Steve Lamb:
    Regardless of the semantics of this issue it raises the concertn that
    dpkg is deleting files/directories and symlinks based on the false
    assumption that if the maintainer is not using the links/files/directories,
    neither is (or should) the individual administrators.  This can lead to any
    package, at any time, breaking based on such a false assumption.

I'd like to point out that the assumption is *not* false: Debian does in
general not quarantee any sysadmin changes outside of /usr/local and /home
to stay untouched.  So dpkg operates here under a valid assumption. Sure
there are special cases (for example /etc/alternatives) where sysadmin
changes are preserved, but the burden on making sure this is so lies on the
individual developer who promises such a thing, and not on dpkg in general.

Therefore, the bug merely suggests a feature to dpkg.  I'm downgrading the
severity to wishlist.  If you disagree, feel free to upgade it to normal,
but no higher (this is NOT a release-critical bug, as explained above).

Message #42 received at 36972-done@bugs.debian.org (full text, mbox, reply):

From: Wichert Akkerman <wichert@cistron.nl>

To: 36972-done@bugs.debian.org, 36972-submitter@bugs.debian.org

Subject: Re: dpkg can remove vital files/symlinks

Date: Sat, 21 Apr 2001 14:40:03 +0200

I'm going to close this bugreport. Basically the problems was this:
listar changed its configuration, and unless a sysadmin changed
his configuration to match those changes his system would break.

That is a problem in listar: it should have warned about that
in its preinst script and and offer to abort the upgrade (using
debconf of course).

Wichert.

-- 
  _________________________________________________________________
 /       Nothing is fool-proof to a sufficiently talented fool     \
| wichert@cistron.nl                  http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Send a report that this bug log contains spam.