[Debian-med-packaging] Bug#689111: libchado-perl: conffile not in /etc (policy 10.7.2): /usr/share/gmod/chado/load/etc/load.conf

Andreas Beckmann debian at abeckmann.de
Sat Sep 29 09:13:30 UTC 2012

Package: libchado-perl
Version: 1.22-3
Severity: serious
User: debian-qa at lists.debian.org
Usertags: piuparts


during a test with piuparts I noticed your package modifies shipped
files that appear to be configuration files, but are in /usr instead of
/etc.  This is forbidden by the policy, see

10.7.2: "Location: Any configuration files created or used by your
package must reside in /etc. [...]

Continuing with the bug template for modified conffiles, as that may be
the next problem you will encounter:

10.7.3: "[...] The easy way to achieve this behavior is to make the
configuration file a conffile. [...] This implies that the default
version will be part of the package distribution, and must not be
modified by the maintainer scripts during installation (or at any
other time)."

Note that once a package ships a modified version of that conffile,
dpkg will prompt the user for an action how to handle the upgrade of
this modified conffile (that was not modified by the user).

Further in 10.7.3: "[...] must not ask unnecessary questions
(particularly during upgrades) [...]"

If a configuration file is customized by a maintainer script after
having asked some debconf questions, it may not be marked as a
conffile. Instead a template could be installed in /usr/share and used
by the postinst script to fill in the custom values and create (or
update) the configuration file (preserving any user modifications!).
This file must be removed during postrm purge.
ucf(1) may help with these tasks.
See also http://wiki.debian.org/DpkgConffileHandling

In https://lists.debian.org/debian-devel/2012/09/msg00412.html and
followups it has been agreed that these bugs are to be filed with
severity serious.

debsums reports modification of the following files,
from the attached log (scroll to the bottom...):

0m29.3s ERROR: FAIL: debsums reports modifications inside the chroot:

And while we are at it ... you might have a look at dbconfig-common for
setting up a database ... and /etc/gmod/gmod-chado.conf should not be
world readable as it contains a DB password ... and the postinst script
does not handle database password in a secure way: passing it on the
command line, echoing it to a file before restricting permissions on the
file, ...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: libchado-perl_1.22-3.log.gz
Type: application/x-gzip
Size: 22712 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20120929/4eaa4c7a/attachment-0001.bin>

More information about the Debian-med-packaging mailing list