Dear Boyuan, Thanks for your info!
Please don't reply to <sub...@bugs.debian.org>, which is for reporting new bug. On Mon, Jul 4, 2016 at 9:16 AM, YANG Boyuan <073p...@gmail.com> wrote: > Hi all, > > It's pretty clear that this problem was introduced in RFS procedure > [0]. Seems that it is not a good solution and should be reverted. > > The mentor in RFS procedure was worried about *fixed* password in > conffile [1], and the solution was to use apg in postinst script [0]. > I would state that the originally proposed problem actually does not > exist. > > First of all, the default shipped conffile is a stub [2] and will not > work if you don't modify it. The server will listen to 127.0.0.1:8388 > and not accessible from external network, so no security vulanability > will take place. We should expect users to change the fixed password > when doing necessary configurations. You cannot assume the package always installs on the box behind the NAT gateway. > But if the fixed password *is* a problem, a better solution may be not > to ship configuration json file by default. One (or more) example > configuration file(s) may be shipped as a demonstration. > > [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825532#57 > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825532#43 > [2] https://github.com/rogers0/shadowsocks-libev/blob/pkg7/debian/config.json The fix may be one of the following: - move the config from /etc/ to somewhere else, such as /var/cache - use debconf to get the password from user when install, as Andreas said in previous email I'll investigate more on this issue later. Cheers, -- Roger Shimizu, GMT +2 Cape Town (in DebConf16) PGP/GPG: 4096R/6C6ACD6417B3ACB1