Package: dovecot-core
Version: 1:2.2.13-11
Severity: serious
The postinst for this package has a line like this one:
echo \# old config >> /etc/dovecot/conf.d/10-ssl.conf
Please *don't* do that. It does not only violate the spirit of policy
(user changes should be preserved), it is also a recipe for disaster.
Suppose I had the old configuration file served by puppet. The upgrade
modifies the file, then puppet restores the file to its original state.
Then the next upgrade will change the file to the new ucf default,
which may be completely unsuitable for my system.
Quoting policy:
These two styles of configuration file handling must not be mixed, for
that way lies madness: `dpkg' will ask about overwriting the file
every time the package is upgraded.
I see that there is a default in ucf, but apparently the default for
wheezy may not be updated to the default in jessie without breaking
currently working systems.
I wonder, then, why ucf is used at all to manage the file.
More quotes from policy:
The easy way to achieve this behavior is to make the configuration
file a `conffile'. This is appropriate only if it is possible to
distribute a default version that will work for most installations,
although some system administrators may choose to modify it.
I understand that UCF falls in the "easy way" category. However, there
is not a default version that will work for most installations.
IMHO, it ucf is not suitable for 10-ssl.cnf, it follows that this
package should not use the ucf mechanism for such file. I wonder
what's the problem in copying the file from a default somewhere in
/usr/share/dovecot the very first time the package is installed and
not modify the file at all on upgrades.
I'm setting this to serious because I believe this package should not
reach testing in its current state, but feel free to disagree.
Thanks.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
