Hi everyone! On Tue, Dec 12, 2023 at 03:08:49PM +0100, Helmut Grohne wrote: [.. > Almost two weeks later, I'm back with what I hope is a solution. [..] > At the time of this writing, my preferred solution is restoring the lost > files in postinst. Fortunately, they are all symlinks in the case of > systemd-sysv, so restoring them is a rather simple matter. And this is > what the attached systemd patch does. [..] > This is not the option I'm going for now. Rather, given that systemd can > paper over the loss we can make the loss very unlikely by having > molly-guard not declare Breaks against systemd-sysv. As a result, apt no > longer sees a mutual conflict and no longer schedules temporary removal. > Thus, the loss scenario (usually) does not happen (though systemd-sysv > still mitigates it).
I think this is a good plan, even though this means quite a few packages will have to do this in their maintainer scripts. I'll note that all affected packages will have to cooperate. [..] > /usr/sbin/halt -> /usr/sbin/halt.no-molly-guard I think this is a bit of a problem. My understanding of molly-guard's primary feature is to hide dangerous programs from $PATH, to avoid execution by overworked (or otherwise unattentive) operators. Keeping the dangerous programs in $PATH, under a similar-enough name that TAB-completion works, might be a serious downgrade in functionality to molly-guard's audience. I would suspect for other packages, like progress-linux-container, it might be worse, if they expect to completely disable these programs. As said above, this is all speculation, but I want to point this out, and maybe Francois can comment if this is acceptable for molly-guard? [..] > So now I am attaching the result of my work. I invite people to review > it (even though I understand that this is a complex matter). In > particular, I am also interested in what kind of tests I should be > performing in addition. I've asked you before on IRC about the test cases I thought to be the "interesting" ones and you pointed out they are already covered by the attached testcases and they have a success outcome. Chris
