[Piuparts-devel] Bug#850762: fixed in setserial 2.17-50

Sat Jan 28 12:06:00 UTC 2017

Control: reopen -1
Control: retitle -1 setserial: directly invokes init scripts, should use invoke-rc.d

Hello!

On Fri, Jan 27, 2017 at 07:54:08PM +0100, Andreas Beckmann wrote:
> On 2017-01-27 17:09, Andreas Henriksson wrote:
> > Hello Thorsten Alteholz, Andreas Beckmann.
> > 
> > On Sun, Jan 22, 2017 at 03:50:31PM +0000, Thorsten Alteholz wrote:
> > [...]
> >>    * debian/control: add dependency to lsb-base (Closes: #850762)
> > [...]
> > 
> > This change is WRONG. You're now depending on something which you don't
> > actually need!
[...]
> > Andreas please confirm you're missing policy-rc.d (and have an
> > init-less chroot, e.g. debootstrap --variant=minbase).
> 
> There is usually no init system installed, but a policy-rc.d exists to
> prevent starting of services (with exceptions for mysql and postgresql).
[...]

Thanks for confirming that you have a policy-rc.d in place.

> 
> If something still runs into the missing lsb-base dependency, the
> initscript must be executed by some means that avoid invoke-rc.d.
[...]

You're right! The setserial postinst does indeed call the init
script directly in certain cases:
http://sources.debian.net/src/setserial/2.17-50/debian/postinst/#L102
http://sources.debian.net/src/setserial/2.17-50/debian/postinst/#L125

Circumventing the required *-rc.d policy layers like this is a
serious policy violation. (9.3.3)

(Even worse is hiding the problem by adding a lsb-base dependency!)

> We looked into the missing lsb-base dependencies and whether these
> could be checked for with piuparts, but concluded that this does not
> work since the initscrips are usually not executed if running under
> piuparts.
[...]

Just an idea: since the init scripts shouldn't be executed at all
if you have policy-rc.d in place maybe you could create a check
that overwrites any installed init script with simply "exit 1"
to make sure the package doesn't try to circumvent the *-rc.d
system? That would detect this case (and avoid pointing it
at things like "missing lsb-base dependency" which is just
a wild goose here).

Regards,
Andreas Henriksson

PS. There's lots of other outdated and unsupported cruft in the
postinst as well, like calling update-rc.d with manually specified
start order arguments. It seems to need a pretty extensive cleaning.