Control: severity -1 important Control: found -1 2.6.6-7 Hi,
After some research, I traced the bug to a conffile rename that was done on May 2013 (2.6.6-7). That is, the bug is present on wheezy -> jessie transitions. There's nothing that can be done now to fix this prompt (those files are already "modified"). So getting modsecurity out of Stretch won't solve it (thus lowering the severity). I will remove the transitional package on my next upload, but that won't fix the issue for Stretch anyway. Regards, Alberto On Mon, Jan 16, 2017 at 05:59:41PM +0100, Andreas Beckmann wrote: > Package: libapache2-modsecurity > Version: 2.9.1-2 > Severity: serious > User: debian...@lists.debian.org > Usertags: piuparts > > Hi, > > during a test with piuparts I noticed your package failed the piuparts > upgrade test because dpkg detected a conffile as being modified and then > prompted the user for an action. As there is no user input, this fails. > But this is not the real problem, the real problem is that this prompt > shows up in the first place, as there was nobody modifying this conffile > at all, the package has just been installed and upgraded... > > This is a violation of policy 10.7.3, see > https://www.debian.org/doc/debian-policy/ch-files.html#s10.7.3, > which says "[These scripts handling conffiles] must not ask unnecessary > questions (particularly during upgrades), and must otherwise be good > citizens." > > https://wiki.debian.org/DpkgConffileHandling should help with figuring > out how to do this properly. > > In https://lists.debian.org/debian-devel/2009/08/msg00675.html and > followups it has been agreed that these bugs are to be filed with > severity serious. > > >From the attached log (scroll to the bottom...): > > Setting up libapache2-mod-security2 (2.9.1-2) ... > > Configuration file '/etc/apache2/mods-available/security2.conf' > ==> Modified (by you or by a script) since installation. > ==> Package distributor has shipped an updated version. > What would you like to do about it ? Your options are: > Y or I : install the package maintainer's version > N or O : keep your currently-installed version > D : show the differences between the versions > Z : start a shell to examine the situation > The default action is to keep your current version. > *** security2.conf (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing > package libapache2-mod-security2 (--configure): > end of file on stdin at conffile prompt > dpkg: dependency problems prevent configuration of libapache2-modsecurity: > libapache2-modsecurity depends on libapache2-mod-security2; however: > Package libapache2-mod-security2 is not configured yet. > > dpkg: error processing package libapache2-modsecurity (--configure): > dependency problems - leaving unconfigured > Setting up libcap2-bin (1:2.25-1) ... > Processing triggers for libc-bin (2.24-8) ... > Processing triggers for systemd (232-8) ... > Errors were encountered while processing: > libapache2-mod-security2 > libapache2-modsecurity > > > This was observed during a wheezy->jessie->stretch upgrade test. > > > cheers, > > Andreas -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55