[Pkg-dns-devel] Bug#816425: Bug#816425: unbound: re-enables upstream forwarding

Robert Edmonds edmonds at debian.org
Tue Mar 1 21:49:20 UTC 2016 

Jakub Wilk wrote:
> Hi Robert!
> 
> * Robert Edmonds <edmonds at debian.org>, 2016-03-01, 14:58:
> >I just tested an upgrade from 1.5.7-1 to 1.5.7-2. dpkg says:
> >
> >   Installing new version of config file /etc/resolvconf/update.d/unbound ...
> >
> >But it keeps the permission bits of the old version of the conffile (even
> >though I didn't touch them), which is surprising.
> 
> Sounds like #192981.

Yeah, that sounds exactly like it.

> >I'm not entirely sure what the correct way is to migrate the permissions
> >on a conffile on an upgrade. Do we maybe need something like this in the
> >preinst?
> >
> >   # XXX: Check if upgrading from a version less than 1.5.7-2~, then do:
> >   if [ -f /etc/default/unbound ]; then
> >       . /etc/default/unbound
> >       case "x$RESOLVCONF" in xfalse|x0|xno)
> >           RESOLVCONF="false"
> >       *)
> >           RESOLVCONF="true"
> >       esac
> >
> >       if ! $RESOLVCONF; then
> >           if [ -f /etc/resolvconf/update.d/unbound ]; then
> >               chmod -x /etc/resolvconf/update.d/unbound || true
> >           fi
> >       fi
> >   fi
> 
> s/RESOLVCONF/RESOLVCONF_FORWARDERS/g

Oh, right.

> My slight worry is that people who never edited /etc/default/unbound would
> retain forwarding enabled on upgrade, unlike people who installed the new
> version afresh. Is that intentional?

That was not intentional. What I actually wanted to do was disable the
RESOLVCONF_FORWARDERS functionality *especially* for people who never
edited /etc/default/unbound, because calling "unbound-control forward"
behind the admin's back would frequently break custom forwarding
configs.

So it actually doesn't matter what RESOLVCONF_FORWARDERS was set to...

> I'd rather let the maintainer script abort if chmod fails than to ignore the
> error.
> 
> >That doesn't help for upgrades from 1.5.7-2, since /etc/default/unbound
> >will no longer exist. (Maybe we could specially check
> >/etc/default/unbound.dpkg-bak for upgrades from 1.5.7-2? Ugh.)
> 
> Yeah, ugh. I don't think there's any pretty solution to this...

Hm, maybe it's as simple as:

    # XXX: Check if upgrading from a version less than 1.5.7-3~, then do:
    if [ -f /etc/resolvconf/update.d/unbound ]; then
        chmod -x /etc/resolvconf/update.d/unbound
    fi

That will annoy anyone who newly installed 1.5.7-2, then explicitly
chmod +x'd the file, but that's significantly fewer people than everyone
upgrading the package.

-- 
Robert Edmonds
edmonds at debian.org

More information about the pkg-dns-devel mailing list