[DRE-maint] Bug#819374: gitlab-shell: has a configuration file in /usr/share and modifies it; also creates a log file there and other links

[Julian Gilbey]

Package: gitlab-shell
Version: 2.6.10-1
Severity: serious

The file /usr/share/gitlab-shell/config.yml is clearly a configuration
file and is modified during the package installation.  It also seems
to be modified during package upgrading, which is another serious bug.

In addition, a log file /usr/share/gitlab-shell/gitlab-shell.log is
created, as is a symlink /usr/share/gitlab-shell/.gitlab_shell_secret.

This is all in contravention of the Debian Policy.

Suggested fixes:

The config.yml file should be stored in the package as a symlink to
/etc/gitlab-shell/config.yml or something similar.  During the first
package installation, this should be setup as needed (including the
hostname), and during upgrades should be left alone.

The log file should not be stored in /usr/share but rather in
/var/log/gitlab.

The symlink should be in the package, and then the /var/lib/... file
setup as needed during the package configuration or running or
whatever is appropriate.

Best wishes,

   Julian

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gitlab-shell depends on:
ii  ruby                        1:2.3.0+1
ii  ruby2.1 [ruby-interpreter]  2.1.5-4
ii  ruby2.2 [ruby-interpreter]  2.2.4-1
ii  ruby2.3 [ruby-interpreter]  2.3.0-5

gitlab-shell recommends no packages.

gitlab-shell suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/share/gitlab-shell/config.yml (from gitlab-shell package)