[Pkg-dns-devel] Bug#593940: Bug#593940: Bug#593940: bind9utils: dnssec-{keygen, signzone} should not be in /usr/sbin

Ondřej Surý ondrej at sury.org
Thu Dec 14 08:34:56 UTC 2017 

I think that best course of action would be to wait till January and
fill an upstream issue in an upstream gitlab for BIND ;)

I think this is reasonable, but what about we change this in an upstream
first and then backport the change?

O.
-- 
Ondřej Surý <ondrej at sury.org>

On Wed, Dec 13, 2017, at 20:18, Daniel Kahn Gillmor wrote:
> Hi all--
> 
> On Wed 2017-12-13 16:00:26 +0100, Bernhard Schmidt wrote:
> > Control: tags -1 + wontfix
> 
> I don't think this is a good resolution for #593940, and i hope we can
> revert it.
> 
> > On Sun, Aug 22, 2010 at 03:41:49PM +0200, Philipp Kern wrote:
> >
> >> Package: bind9utils
> >> Version: 1:9.7.1.dfsg.P2-2
> >> Severity: normal
> >> 
> >> Why are dnssec-{keygen,signzone} in /usr/sbin?  They are perfectly usable
> >> from normal user accounts and zone signing actions are not exactly carried
> >> through by "system binaries" as specified by the FHS.
> >
> > This is where upstream (and every other distribution) puts these
> > files.
> 
> By this argument, we would never fix any upstream bugs at all :)  Debian
> has the opportunity to lead the way here.
> 
> > Changing this now would break compatibity with everyone else and
> > existing scripts referencing the full path name.
> 
> Debian policy §6.1 (about maintainer scripts) says:
> 
>     Programs called from maintainer scripts should not normally have a
>     path prepended to them. Before installation is started, the package
>     management system checks to see if the programs ldconfig,
>     start-stop-daemon, and update-rc.d can be found via the PATH
>     environment variable. Those programs, and any other program that one
>     would expect to be in the PATH, should thus be invoked without an
>     absolute pathname. Maintainer scripts should also not reset the
>     PATH, though they might choose to modify it by prepending or
>     appending package-specific directories. These considerations really
>     apply to all shell scripts.
> 
> Note the last sentence ;)
> 
> Yes, people do put the full path in their scripts, which makes them
> brittle and unfortunate.  Why do people put the full path in their
> scripts?  Often it's because the tools they want to use aren't shipped
> already in the $PATH.  For example, the useful tools in bind9utils.
> 
> So actually fixing this bug would lead to less brittle systems in the
> future, which is a good thing.
> 
> > Nothing prevents you from calling these programs with the full path (or
> > changing PATH in your script). 
> 
> If we want to continue supporting things that have embedded the full
> path, we can ship symlinks in /usr/sbin/ that point back to /usr/bin.
> 
> If we shipped these backward-compatibility symlinks, would that be
> acceptable to address your concerns?
> 
>            --dkg
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)

More information about the pkg-dns-devel mailing list