Hi again, Ola Lundqvist <[EMAIL PROTECTED]> (22/04/2006): > On Fri, Apr 21, 2006 at 10:52:40PM +0200, Thomas Huriaux wrote: > > Ola Lundqvist <[EMAIL PROTECTED]> (21/04/2006): > > > On Fri, Apr 21, 2006 at 07:35:01PM +0200, Thomas Huriaux wrote: > Please tell me what is hard to understand with these notes instead.
I have no problem to understand what these notes are saying. I just don't understand their positions. Why in the installation process when the actions will have to be taken after the installation and have no direct relation with the package usability? > > > > Conclusion: If you want to keep the current philosophy of the package > > > > without bothering users with pointless notes, you should take the > > > > following actions: > > > > * remove harden/welcome (or move it to a README.Debian file) > > > It is already with priority low output, so I do not really agree. > > > > Even with a low priority, once again, imagine that every package > > displays a note with "Hello, you are using the foobar package. You > > can find more documentation blablabla...". It would simply make the low > > priority unused by users. > > That is what you have low priority for. The default is medium and therefore > you will not have them printed with the default option. So what is the > problem? No, low priority is for very customized configuration options that should not be displayed to the normal user during the installation. Welcome notes should not exist, as advanced users don't care about these notes and normal users won't see them as they don't want to have too difficult questions to answer. > > > > * remove harden-*/plaintext and emphasize (if needed) the package > > > > description about the conflicts > > > But they are not for describing the conflicts. > > > > See above. > > > > > > * provide documentations such as README, manpage, ... for > > > > harden-servers/inetd and harden-servers/vncserver (and of course > > > > remove those notes) > > > > > > No I will not do this last point, unless inetd have changed their > > > defaults of course. > > > > Still the same difference of opinion, i.e. something like that has no > > added value during the package configuration process. > > BUT the package have NO use without the notes and the conflicts!!! It do > not contain anything else. I indeed think that the only use of the package is to use the conflicts field. And this is a good idea to avoid installing not secured packages. But if I want to harden a system, I won't follow your debconf instructions but read a complete documentation. > > I'm afraid our main disagreement is the distinction I made between > > installation/configuration of a package and use of a package. It seems > > for me that you consider you're using a package as soon as you start > > to install it. > In this case it is true as this is mostly a meta package with some > additional help to the user. > > > If I'm right with this last statement, then I will change my > > argumentation :-) > > > > Sorry to be so insistent for the removal of these debconf templates, but > > one of my main activities within Debian is debconf-related QA and I'm > > still convinced that you are using debconf where you should not. > > That's why I really would like to see this issue fixed :-) > > Well I am still not convinced and as I have seen that this package is > used by quite a few people I assume that people like the idea of it. I also think the Conflicts part is a good idea. However, the notes at their current position aren't. > You are the first person to complain about these notes. No, I'm not, please read #144652 for example. I don't know exactly how your users are using your package, but I don't think they are really using your notes to configure their systems. They just take advantage of the Conflicts part, and use the normal documentation to harden the rest of the system. I'm just reading the other bug reports, it seems that most (all?) of them are asking conflicts and not new instructions (if we do not take in account bugs that are not related with usage or were filled by you). > If you get consensus about this on debian-devel (which I do not read > by the way) or you can convince many people to answer this bug with > the same opinion I may change my mind. > > You see the inetd note was created because users requested that inetd > servers should be disabled by default when installing this package. I > decided that it was not a good thing to change configuration so > therefore I added this note. > > The plaintext password notes was added because that I could not find > out a good way to configure all servers to use encryption, so that > note was added. Once again, I don't think to stop the installation process to tell what your package is not doing and what the user has to do manually is a good idea. > I still do not understand why you are think they are so bad as these > two things are quite important for hardening of a system. A better > thing would of course be if I had implemented functions for editing > inetd services and also to configure password handling for all clients > and servers, but I have not really had the time to start such a big > project. I don't think it is bad, but that the installation process is not the place to display these notes. If you want to have a kind of interactive list of instructions, I take back my idea of a binary, so that after installing the packages, I can type "harden" when I want in a terminal, and have a list of things I should do or I should check. Every time a thing is done, I validate to have the following instruction. That's where this kind of instructions should appear. Cheers, -- Thomas Huriaux
signature.asc
Description: Digital signature
