[RFC] Alternative solution (was: r50470 - trunk/packages/kbd-chooser/debian)

As I was extremely tired last night I decided to quit the discussion until after some sleep.

On Monday 17 December 2007, Joey Hess wrote:
> Frans Pop wrote:
> > Because a dpkg-reconfigure needs to ask the question even if a keymap
> > is installed.
>
> if [ ! -e /etc/whatever_file ] || [ "$1" = reconfigure ]; then
> # ask question
> fi

Having d-i write an /etc/whatever_file for this still seems very ugly to me.

> The only reason there is no serious attack vector is because
> console-common only checks if the file exists. /tmp/debian-installer/ is
> not "controlled" by d-i post-installation. If I want to prevent the
> admin from seeing the keymap question, I can now do it, on any Debian
> system. This *is* a minor security hole.

Does not change the fact that the probability of anyone abusing that "hole" is about 0 and the effects if they do so is about null. On a scale from 1 to 100 I would personally rate this security issue at about -0.

That said, I totally agree that this is not something that should be implemented as a general mechanism and after some reflection I've come to the conclusion that your suggestion to set the "seen" flag is probably the best solution.

The (tested) patch below for kbd-chooser's post-base-installer hook script implements this by first "preseeding" the template in the D-I environment and then using debconf-copydb to propagate it to the target system. If there is a clean way to set the flag directly in the target environment, please propose an alternative patch.

If this patch is acked, I will implement it in kbd-chooser and Christian can then revert the changes in console-common and console-data at his convenience. I don't think there's any need to rush new uploads for those packages.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

It would have been ever so nice if this discussion could have been taken place _before_ the other solution had been implemented. Lessons for the future:
- if someone proposes a patch with an RFC and some reservations, please   don't just upload the patch but allow some time for feedback - if someone posts an RFC it would be nice if more people took the trouble   to read it, consider the issue and post their opinion; preferable with   arguments (even if they agree) and alternatives (if they don't)

Cheers,
FJP

+# Avoid displaying console-data's keymap policy question
+cd_template=console-data/keymap/policy
+cd_policy="Don't touch keymap"
+if ! db_set $cd_template "$cd_policy"; then
+        db_register debian-installer/dummy $cd_template
+        db_set $cd_template "$cd_policy"
+        db_subst $cd_template ID $cd_template
+fi
+db_fset $cd_template seen true
+debconf-copydb -p $cd_template configdb target_configdb

apt-install console-tools console-data console-common || true

-- 
To UNSUBSCRIBE, email to debian-boot-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: This is a digitally signed message part.