Bug#677834: writes to /usr/share/jed/lib during postinst

Wookey wookey at wookware.org
Mon Nov 25 11:16:11 UTC 2013 

+++ Marc Haber [2013-11-25 09:10 +0100]:
> On Mon, Jun 18, 2012 at 10:52:36AM +0200, Guenter Milde wrote:
> > > I am not sure whether this is a policy violation, but it is most
> > > probably a surprise for most users. In Debian I expect all files under
> > > /usr to come from packages, and thus be static. This is not the case
> > > for the *.slc files that are written to /usr/share/jed/lib during
> > > postinst with a call to /usr/share/jed/compile/jed-common install.
> > 
> > The *.slc files are bye-compiled versions of the corresponding *.sl files in
> > the packages jed-common and jed-extra.
> > 
> > Placing them alongside the sources is common practice and prevents
> > surprises when customizing the editor (using a custom jed-library-path,
> > using drop-in replacements from jed-extra or locally installed).
> 
> > > In my expectations, such files should be in /var/lib since they're
> > > variable data and not registered with the packaging system.
> > 
> > The byte-compiled filea are no more variable than the rest of the
> > package, as they are only generated/deleted when the package is
> > (de)installed or updated.
> 
> But they do not originate from a package, cannot have their checksum
> verified, dpkg --search doesn't find them. All of those are usually
> signs for a file that was put there in an unauthorized way, and one
> cannot find out whether it was a dumb colleague, a postinst or an
> attacker.

You are quite right that it would be nicer for these files to be under
/var. However, the current state has presumably been true for over a
decade so this is not a new problem, and the jed packages are now in
life-support maintenance mode. So, whilst fixing this would be nice, I'm
not sure anyone is really going to make the effort to change the way
this works at the late stage in the packages' life.

If you/someone supplies good patches then this can get fixed, otherwise
it'll probably stay as it is.

Wookey
-- 
Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM
http://wookware.org/

More information about the Pkg-jed-devel mailing list