[Freedombox-discuss] Chef and Puppet experts?

Philip Hands phil at hands.com
Thu Sep 15 07:41:39 UTC 2011

On Wed, 14 Sep 2011 11:07:49 -0700, FreedomBox-Discuss.NeoPhyte_Rep at OrdinaryAmerican.net wrote:
> > Using any of Puppet/Chef/cfengine to achieve the same effect is
> > effectively just an attempt to side-step the edict against one package
> > modifying the conffiles of another (which would be another way of doing
> > this) -- while that edict is sometimes inconvenient, it's there for good
> > reason so one should be very cautious before ignoring it.
> I'm sorry, but I'm new around here. ("here" being the Debian project.)
>  Can you point us to that edict?

[note: not all configuration files are tagged as conffiles -- conffiles
are a special case where the package manager has been told that it's in
charge of ensuring that the files not be damaged during upgrades:

  http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files ]

Section 3, paragraph 3, of this:


	Packages must not modify other packages' configuration files
	except by an agreed upon APIs (eg, a /usr/sbin/update-foo command).

rc_policy.txt is the list of things that would have justified a release
critical bug in the latest stable release -- I failed to find it in the
general policy docs, but note that the same thing is also mentioned here:


          * updated section about `Configuration files': packages may not
          touch other packages' configuration files

in 1997.  Perhaps it's so fundamental that it doesn't need to be written
down in policy -- I suppose it's just a special case of the fact that
packages shouldn't tread on other package's files.

> I'm eager to learn the Debian way, but it's quite difficult to find
> where to start studying what some folks seem to believe is common
> knowledge.

Yes, I was a little surprised to find out that that wasn't spelled out
explicitly in the policy (unless I'm just being a bit dim).

> I can understand it might have something to do with security and how
> best to implement reliable code.  Am I on the right track?

It's more to do with the reliability -- it's very difficult for the user
to work out why they ended up in a particular state if you have one
package editing another's conffiles, since the final state is likely to
depend upon the order that packages were installed/removed.  The
resulting confusion is bad for the user, and thus bad for our bug
tracking system.

Of course, this is only for packages in Debian itself -- people often
achieve the same effect as having puppet or whatever by having a
site-local repository of packages that depend on loads of packages and
have postinst scripts that tweak all sorts of stuff, flouting policy
completely -- that's fine, but those packages are not something that
would get uploaded to Debian.

People have even made packages to make building such packages easier:


This might be of interest too:


Cheers, Phil.
|)|  Philip Hands [+44 (0)20 8530 9560]    http://www.hands.com/
|-|  HANDS.COM Ltd.                    http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110915/9f6e6aee/attachment-0001.pgp>

More information about the Freedombox-discuss mailing list