Ola Lundqvist <[EMAIL PROTECTED]> (22/04/2006): > On Sat, Apr 22, 2006 at 01:18:09PM +0200, Thomas Huriaux wrote: > > Ola Lundqvist <[EMAIL PROTECTED]> (22/04/2006): > > > On Fri, Apr 21, 2006 at 10:52:40PM +0200, Thomas Huriaux wrote: > > > > Ola Lundqvist <[EMAIL PROTECTED]> (21/04/2006): > > > > > On Fri, Apr 21, 2006 at 07:35:01PM +0200, Thomas Huriaux wrote: > > > Please tell me what is hard to understand with these notes instead. > > > > I have no problem to understand what these notes are saying. I just > > don't understand their positions. Why in the installation process when > > the actions will have to be taken after the installation and have no > > direct relation with the package usability? > > Because there are no way to display things at the end of the installation > process, right?
No, but *after* the installation process, there are plenty of way. It would then be displayed when it is appropriate for the user to see it, i.e. when he intends to take the actions suggested by the harden packages, but related to other packages configuration. > > No, low priority is for very customized configuration options that > > should not be displayed to the normal user during the installation. > > Welcome notes should not exist, as advanced users don't care about these > > notes and normal users won't see them as they don't want to have too > > difficult questions to answer. > > What you are saying is that notes should not be used at all, even with > low priority. I know that the manpage tell that it should be avoided but > I still think it is valid in this situation. No, I'm not saying that notes should not be used at all. It should be used for important notes related to the _installation_ of a package. For example, if the user should rename a configuration file to get the package working, if an upgrade failed, etc. Here, you are telling the user that he should configure *other* packages during the installation of your package. > > I indeed think that the only use of the package is to use the conflicts > > field. And this is a good idea to avoid installing not secured packages. > > But if I want to harden a system, I won't follow your debconf > > instructions but read a complete documentation. > > I can agree that reading the full doc is what you should do. These notes > are for new maintainers and therefore printed with low or medium priority. The full doc or an introduction, or everything else appropriate for my level of knowledge. But I won't read it during the installation of a package, as I'd better wait for the package to be installed before doing anything. > > > You are the first person to complain about these notes. > > > > No, I'm not, please read #144652 for example. > > That bug do not complain on the display of the message but rather that it > do not have an intelligent check before displaying it. Quoting the bug: It was also a bit annoying that it interrupted the smooth progress of my "apt-get upgrade" part-way through for a very non-critical non-question. This is one of my main argument since the beginning of the discussion, and exactly what is said in the debconf-devel manpage. > > I don't know exactly how your users are using your package, but I don't > > think they are really using your notes to configure their systems. They > > just take advantage of the Conflicts part, and use the normal > > documentation to harden the rest of the system. > > > > I'm just reading the other bug reports, it seems that most (all?) of > > them are asking conflicts and not new instructions (if we do not take > > in account bugs that are not related with usage or were filled by you). > > Yes, and? So I don't think your users are expecting instruction notes, but mainly a real meta-package with Conflicts, Recommends, etc. But this is only hypothetical, as I don't know any of these users. > These notes are the first most important general things to consider > for a default installed system. But why to display it during the _installation_ of the package? That should be displayed when you want to harden your system, i.e. when you are _using_ the harden package, not installing it. > > > If you get consensus about this on debian-devel (which I do not read > > > by the way) or you can convince many people to answer this bug with > > > the same opinion I may change my mind. > > > > > > You see the inetd note was created because users requested that inetd > > > servers should be disabled by default when installing this package. I > > > decided that it was not a good thing to change configuration so > > > therefore I added this note. > > > > > > The plaintext password notes was added because that I could not find > > > out a good way to configure all servers to use encryption, so that > > > note was added. > > > > Once again, I don't think to stop the installation process to tell what > > your package is not doing and what the user has to do manually is a good > > idea. > > Then please file a bug report to debconf to tell that this function should > be totally removed. For what else should these notes be, than to tell that > the admin need to do something manually? These notes are displayed if the admin need to do something manually related to the _usability_ of the package he's installing. > > > I still do not understand why you are think they are so bad as these > > > two things are quite important for hardening of a system. A better > > > thing would of course be if I had implemented functions for editing > > > inetd services and also to configure password handling for all clients > > > and servers, but I have not really had the time to start such a big > > > project. > > > > I don't think it is bad, but that the installation process is not the > > place to display these notes. If you want to have a kind of interactive > > list of instructions, I take back my idea of a binary, so that after > > installing the packages, I can type "harden" when I want in a terminal, > > and have a list of things I should do or I should check. Every time a > > thing is done, I validate to have the following instruction. That's > > where this kind of instructions should appear. > > But how do the user know that he/she should type harden? Do you always need a debconf note explaining what you have to do to use a package? Just say in the package description that it provides a tool that presents the main issues and solutions. If I install the package foo, I try "foo" to launch it. If it fails, then I search for documentation to know how to use the package. README* files are usually a good start. > But if you want to provide me with such a binary (harden) then please > do so. I won't do it as I'm not interested in this package. But the main point here is to convince you that you are misusing debconf and that you should consider alternative. Or to convince me of the contrary :-) But not to create an alternative without agreeing. Cheers, -- Thomas Huriaux
signature.asc
Description: Digital signature
