[DRE-maint] Bug#814476: closed by Pirate Praveen <praveen at debian.org> (Bug#814476: fixed in gitlab 8.4.3+dfsg-4)

Johannes Schauer josch at debian.org
Sun Feb 14 15:02:03 UTC 2016 

Control: found -1 8.4.3+dfsg-6

Hi,

Quoting Debian Bug Tracking System (2016-02-13 18:24:16)
> This is an automatic notification regarding your Bug report
> which was filed against the gitlab package:
> 
> #814476: gitlab writes into /usr/share/gitlab during operation
> 
> It has been closed by Pirate Praveen <praveen at debian.org>.

sorry but this bug is still not fixed.

As you can read in my initial report, this bug is about violation of Debian
policy §9.1.1 and gitlab is still writing files into /usr/share/gitlab during
operation or stores host-specific configuration in /usr/share/gitlab. Let me
quote chapter 4 of the FHS again:

"/usr is the second major section of the filesystem. /usr is shareable,
read-only data. That means that /usr should be shareable between various
FHS-compliant hosts and must not be written to. Any information that is
host-specific or varies with time is stored elsewhere."

Since you seem to have thought that only the log files were a problem, here are
some more offenders:

 - /usr/share/gitlab/.ssh/authorized_keys
 - /usr/share/gitlab/.secret
 - /usr/share/gitlab/config/database.yml
 - /usr/share/gitlab/config/gitlab.yml
 - /usr/share/gitlab/config/resque.yml
 - /usr/share/gitlab/config/secrets.yml
 - /usr/share/gitlab/config/unicorn.rb
 - /usr/share/gitlab/Gemfile.lock
 - /usr/share/gitlab/.gitconfig
 - /usr/share/gitlab/.gitlab_shell_secret
 - /usr/share/gitlab/information_schema
 - /usr/share/gitlab/public/uploads
 - /usr/share/gitlab/.secret
 - /usr/share/gitlab/shared/cache/archive/
 - /usr/share/gitlab/.ssh

A possible offender might be /usr/share/gitlab/public/assets/. I do not know
whether this content is host and/or configuration specific or not.

I think one big problem is, that you set the home directory of the gitlab user
to /usr/share/gitlab. But user's home directories are definitely host-specific
and thus it would violate the FHS to store them in /usr. Also, it can be
usually expected that one has write access to the home directory but according
to the FHS, /usr might be mounted read-only during operation. So maybe you
should move the home directory to something host specific like something in
/var.

The second problem is, that there are still lots of configuration files in
/usr/share/gitlab. But configurations are host-specific and should be in /etc
or also in /var in certain cases.

Lastly, there seem to be upload and cache directories in /usr/share/gitlab
which definitely mustn't be there, like /usr/share/gitlab/public/uploads or
/usr/share/gitlab/shared/cache/archive/.

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160214/d76d9701/attachment.sig>

More information about the Pkg-ruby-extras-maintainers mailing list