Bug#256456: [Pkg-firebird-general] Bug#256456: firebird: Debconf abuse

[Christian Perrier]

Quoting Remco Seesink (raseesink@hotpop.com):

> > need for yelling and artificially enhance debconf long descriptions),
> > improperly using the first person and making direct reference to the
> > maintainer's address, may be seen as debconf abuse, in my opinion.
> >=20
> > Such notes pertain to NEWS.Debian, which is exactly meant for such us=
e.
>=20
> Ok, I can see your point. The capital letters could certainly be fixed.
> But if the notice about the security bugs are moved to NEWS.debian the =
user
> could easily miss them. There are cases such as unattended install wher=
e they
> will miss it anyway, so maybe that is not a valid point to make.

This often is a debate and I can't say you that I was a bit mixed on
that "debconf abuse"...:-)

Indeed, I wanted you to consider that even if a debconf note is kept (
your arguments are valid...NEWS.Debian are less often displayed mostly
because people do not use apt-listchanges properly), it should be
reformulated less "aggressively".

I suggest removing capital letters and ">>>>> <<<<<" signs. Just make
it a normal debconf note and count on your readers intellignece...:-)


Another argument for keepign a note is that debconf notes may be
translated while NEWS.Debian currently can't be.


>=20
> How about not enabling the firebird daemon by default? That would at le=
ast not
> open security holes by default. Maybe a debconf question if it needs to=
 be
> enabled? Would this be good enough to lower the bug's priority to impor=
tant?

Well, that's be a good idea, yes. Make a debconf boolean question
about enabling the daemon AND put a mention of the security home in
its long description. Of course, the default answer to this question
should be "false".

For writing this debconf template for a boolean question, please check
http://people.debian.org/~bubulle/dtsg/dtsg.txt for advices about how
to write debconf templates.

> If not we need to have a different solution otherwise the 1.0.x series =
will
> not get into sarge.

I'm afrais that even if the daemon is not enabled by default, the
package should not go into sarge as is. So, lowering its severity is
not posible, imho.

By the way, you have to coordinate with the security team on this issue.

> > This has been found during the french translation work, which you wil=
l
> > receive soon, anyway (on this topic also...please take care of transl=
ators
> > and consider warning them whenever you change debconf templates).
>=20
> Apologies, I have little experience in the translation process. I didn'=
t know
> if this was automated.

It is partly automated=A0: if you make changes to your templates, the
translators will learn about these in translation status pages...but
of course *after* you uplaoded the updated package.

So, they will send you updates which will require another update.

Once the templates file is rewritten, please run "debconf-updatepo",
put the debian/po directory content somewhere,
then "grep '^Last-Translator' debian/po/*po' and mail these people by
pointing them to the place you put the files....and asking them to
send you updates.

Wait for a couple of days and then upload with the updates you
received. Some translators may ask you for a delay because we have
some proofreading systems in big teams.....it's up to you to ask them
to hurry up, if the new upload is security related

We do not have better options now. If an upload is urgent because of
security concerns, of course forget about translations, we will adapt
ourselves.