Hi Martijn Martijn van Brummelen <mart...@brumit.nl> writes:
> Im not sure if the suggested patch is ok or not, or provide a better patch? > I asked on debian devel mailinglist[0]]/irc but did not get much response. > It would be a pitty if Jessie would be released without it. > Can someone advice me on this? Surely not having the package in testing and thus jessie is the worst option. So there needs to be a fix for this bug very soon. Here are my thoughts about it: 1. IMO the severity and tags of this bug are overrated. One possible solution is to just downgrade this to wishlist and remove the security tag. I'm not at all convinced that this is a security problem in your package. One thing you have to make sure in this case is that you don't overwrite any configuration already in place. So if it's set to optional in the authentication phase before the upgrade it should stay at this setting. Everything else is a Debian Policy violation. Not overwriting the existing configuration solves the security problem. There is no security problem on new installs IMO. If someone installs a script that allows unconditional authentication and does not check the pam-script configuration, then this is a configuration error outside of your package. 2. Basically this is an issue about the right default policy for the authentication phase of libpam-scripts. This is IMO something you as the maintainer can decide. Every value is right in some cases and wrong in others. There is no single value that will suit everyone. I proposed sufficient as the default value, but I can live with every setting and agree that there are good reasons to change the setting. Probably optional is indeed the most conservative setting. But also the one that means that the setting must be changed for many use cases. Gaudenz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
