Bug#987969: privoxy: leftovers on purge
On Mon, 2021-05-03 at 08:55 +0200, Roland Rosenfeld wrote: > It seems to be consensus that deleting users on purge is a bad idea, > see policy bug reports > https://bugs.debian.org/228692 > https://bugs.debian.org/291177 > https://bugs.debian.org/621833 > but it is still not written to the policy, but only in the above wiki > page and bug reports. > > So it seems to be best practice to keep the user on purge. > > Is it okay to close this bug report accordingly or do yo prefer to > keep it open and tag it "wontfix"? I made some comments on #621833. Especially, cleaning up the users isn't really much worse than creating them in the first place. Actually I'd even say it's better, from a security PoV, cause deleting them will likely just loudly break things - while creating/using a user which may already be used by someone likely introduces a privilege issue. Cheers, Chris.
Bug#987969: privoxy: leftovers on purge
Hi Christoph! On Mo, 03 Mai 2021, Christoph Anton Mitterer wrote: > Package: privoxy > Version: 3.0.32-2 > Severity: normal > > I've just noted, that when purging the package, at least the user > is left behind and not removed. > > Any reason for that? Thanks for your report. Yes, there is a reason for disabling the user deletion on purge: privoxy (3.0.6-3) unstable; urgency=low * According to http://wiki.debian.org/AccountHandlingInMaintainerScripts removing system users in postrm isn't a good idea. So the removal of user privoxy in postrm was disabled and deluser/adduser of existing user in postinst was also removed. This should avoid problems with purging privoxy if passwd package isn't installed (Closes: #417015). -- Roland Rosenfeld Sat, 19 May 2007 21:22:42 +0200 It seems to be consensus that deleting users on purge is a bad idea, see policy bug reports https://bugs.debian.org/228692 https://bugs.debian.org/291177 https://bugs.debian.org/621833 but it is still not written to the policy, but only in the above wiki page and bug reports. So it seems to be best practice to keep the user on purge. Is it okay to close this bug report accordingly or do yo prefer to keep it open and tag it "wontfix"? Greetings Roland
Bug#987969: privoxy: leftovers on purge
Package: privoxy Version: 3.0.32-2 Severity: normal Hey. I've just noted, that when purging the package, at least the user is left behind and not removed. Any reason for that? Cheers, Chris.
