Debian Bug report logs - #601220
noip2: abuse of debconf

version graph

Package: noip2; Maintainer for noip2 is (unknown);

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Sun, 24 Oct 2010 12:48:02 UTC

Severity: serious

Found in version no-ip/2.1.9-3

Fixed in version 2.1.9-4+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Sun, 24 Oct 2010 12:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jakub Wilk <jwilk@debian.org>:
New Bug report received and forwarded. Copy sent to jwilk@debian.org, Otavio Salvador <otavio@debian.org>. (Sun, 24 Oct 2010 12:48:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: noip2: abuse of debconf
Date: Sun, 24 Oct 2010 14:44:16 +0200
[Message part 1 (text/plain, inline)]
Package: noip2
Version: 2.1.9-3
Severity: serious
Justification: Policy 10.7

The only place noip2 store configuration data (apart from the debconf 
cache) is a binary blob in /var/lib/noip2/. This file will be happily 
overwritten on each upgrade using *only* values supplied by debconf.

-- 
Jakub Wilk
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Sun, 14 Nov 2010 16:00:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hector Oron <zumbi@debian.org>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Sun, 14 Nov 2010 16:00:08 GMT) Full text and rfc822 format available.

Message #10 received at 601220@bugs.debian.org (full text, mbox):

From: Hector Oron <zumbi@debian.org>
To: Debian Bug Tracking System <601220@bugs.debian.org>
Subject: Re: Bug#601220: noip2: abuse of debconf
Date: Sun, 14 Nov 2010 15:57:16 +0000
Hello,

On Sun, Oct 24, 2010 at 02:44:16PM +0200, Jakub Wilk wrote:
> Package: noip2
> Version: 2.1.9-3
> Severity: serious
> Justification: Policy 10.7
> 
> The only place noip2 store configuration data (apart from the
> debconf cache) is a binary blob in /var/lib/noip2/. This file will
> be happily overwritten on each upgrade using *only* values supplied
> by debconf.

  debconf is set to critical asking those questions.

  Otavio, could you give us some feedback on this bug?
  You can read data back (all but password) with noip -S, do you need a patch for this?

  Best regards




Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Sun, 14 Nov 2010 18:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Otavio Salvador <otavio@ossystems.com.br>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Sun, 14 Nov 2010 18:48:03 GMT) Full text and rfc822 format available.

Message #15 received at 601220@bugs.debian.org (full text, mbox):

From: Otavio Salvador <otavio@ossystems.com.br>
To: Hector Oron <zumbi@debian.org>, 601220@bugs.debian.org
Subject: Re: Bug#601220: noip2: abuse of debconf
Date: Sun, 14 Nov 2010 16:45:04 -0200
On Sun, Nov 14, 2010 at 1:57 PM, Hector Oron <zumbi@debian.org> wrote:
>  Otavio, could you give us some feedback on this bug?
>  You can read data back (all but password) with noip -S, do you need a patch for this?

I haven't have time to look at it. If you can look at it please do.
It is in collab-maint so please take it over :-D

-- 
Otavio Salvador                  O.S. Systems
E-mail: otavio@ossystems.com.br  http://www.ossystems.com.br
Mobile: +55 53 9981-7854         http://projetos.ossystems.com.br




Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Wed, 17 Nov 2010 22:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andres Mejia <mcitadel@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Wed, 17 Nov 2010 22:33:06 GMT) Full text and rfc822 format available.

Message #20 received at 601220@bugs.debian.org (full text, mbox):

From: Andres Mejia <mcitadel@gmail.com>
To: 601220@bugs.debian.org, 601220-submitter@bugs.debian.org
Subject: Re: Bug#601220: noip2: abuse of debconf
Date: Wed, 17 Nov 2010 17:31:03 -0500
On Sun, Oct 24, 2010 at 8:44 AM, Jakub Wilk <jwilk@debian.org> wrote:
> Package: noip2
> Version: 2.1.9-3
> Severity: serious
> Justification: Policy 10.7
>
> The only place noip2 store configuration data (apart from the debconf cache)
> is a binary blob in /var/lib/noip2/. This file will be happily overwritten
> on each upgrade using *only* values supplied by debconf.
>
> --
> Jakub Wilk
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBCAAGBQJMxCocAAoJEC1Os6YBVHX1bBwP/02ty0C3MHO4vcXjLMCnuT4B
> HTSaoUi/vf+k9PBbtFhaKa5iDE6oSOprOFiGDeuwcFeK+zJU8Hoil3XjheA2x+ak
> LXsF9OUrQeuOJ63j4HSRnTYspsK7RX3ezKqUzMyOT4PdIgIXxV4WtytX2jWs+oP1
> JnbctxKRrwyrfSp9uFvhcc6uUFMZVUGAQRqHq/355qJDKN7b03WFl0gveRFASazn
> LyLOC5Dvm6T0VFRrwTMuRttZZGaU8RTANaid6fQkS2lC4Wk/U7xHrxhtJqGovx7j
> CJjH9ZfMuAASPPEJYepNMN6JimLilxl7PYQ8AFLajiK0JOpkIqJsVW7yRLnaIgEc
> KUKIxShr3tTR48OE+SyiTDU5jRt/+J6cWZz78UgJGfQDnKkNtGu9RYV3Y08Pyy5A
> cJr7t9iXYrfqcqTigobP7ybB8Wd4kZdNjJN7lKPGTQC7jntPrp7shaBAa7o3SzNa
> KXIECM2M15hsqZK5bFaV40LTvcmHmUJVM5g4J8pBR4YcJtISzq55uXaYH2DtaixI
> JvibWOkTdQ4ajHfkEfZzp36PQ+i1Pit55U+KzuRzKCz834eWDtCojLKLsKV63cm8
> qDyqZgUchvvUVkWymTRmT2d9vVImfpub5WLrf1BPpz23FaWun+/y/y+JcPjqC79M
> T99gANkfu3c3BvZQH0Zd
> =Wlvg
> -----END PGP SIGNATURE-----
>
>

For anyone looking into resolving this bug, feel free to remove me as
uploader. I no longer use the noip service thus I no longer have any
interest in maintaining this package.

-- 
Regards,
Andres Mejia




Message sent on to Jakub Wilk <jwilk@debian.org>:
Bug#601220. (Wed, 17 Nov 2010 22:33:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Thu, 18 Nov 2010 12:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Henriksson <andreas@fatal.se>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Thu, 18 Nov 2010 12:00:03 GMT) Full text and rfc822 format available.

Message #28 received at 601220@bugs.debian.org (full text, mbox):

From: Andreas Henriksson <andreas@fatal.se>
To: Andres Mejia <mcitadel@gmail.com>, 601220@bugs.debian.org
Cc: 601220-submitter@bugs.debian.org
Subject: Re: Bug#601220: noip2: abuse of debconf
Date: Thu, 18 Nov 2010 13:00:43 +0100
On Wed, Nov 17, 2010 at 05:31:03PM -0500, Andres Mejia wrote:
> For anyone looking into resolving this bug, feel free to remove me as
> uploader. I no longer use the noip service thus I no longer have any
> interest in maintaining this package.

Please google for "How to orphan packages properly".

-- 
Andreas Henriksson




Message sent on to Jakub Wilk <jwilk@debian.org>:
Bug#601220. (Thu, 18 Nov 2010 12:00:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Thu, 18 Nov 2010 13:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andres Mejia <mcitadel@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Thu, 18 Nov 2010 13:45:03 GMT) Full text and rfc822 format available.

Message #36 received at 601220@bugs.debian.org (full text, mbox):

From: Andres Mejia <mcitadel@gmail.com>
To: 601220@bugs.debian.org, 601220-submitter@bugs.debian.org
Subject: Re: Bug#601220: noip2: abuse of debconf
Date: Thu, 18 Nov 2010 08:43:46 -0500
On Thu, Nov 18, 2010 at 7:00 AM, Andreas Henriksson <andreas@fatal.se> wrote:
> On Wed, Nov 17, 2010 at 05:31:03PM -0500, Andres Mejia wrote:
>> For anyone looking into resolving this bug, feel free to remove me as
>> uploader. I no longer use the noip service thus I no longer have any
>> interest in maintaining this package.
>
> Please google for "How to orphan packages properly".
>
> --
> Andreas Henriksson
>

Well if the last maintainer doesn't respond or says he no longer wants
to maintain no-ip, then yes, this package should be orphaned.

-- 
Regards,
Andres Mejia




Message sent on to Jakub Wilk <jwilk@debian.org>:
Bug#601220. (Thu, 18 Nov 2010 13:45:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Sat, 25 Dec 2010 06:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joost van Baal <joostvb-debian-bugs-20101225-9@mdcc.cx>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Sat, 25 Dec 2010 06:33:03 GMT) Full text and rfc822 format available.

Message #44 received at 601220@bugs.debian.org (full text, mbox):

From: Joost van Baal <joostvb-debian-bugs-20101225-9@mdcc.cx>
To: 601220@bugs.debian.org
Cc: Avi Rozen <avi.rozen@gmail.com>
Subject: orphaning noip2? (was: Re: Bug#601220: noip2: abuse of debconf)
Date: Sat, 25 Dec 2010 07:21:51 +0100
Hi,

Andres Mejia wrote:
<snip>
> this package should be orphaned.
<snip>

Is Avi Rozen no longer interested in working on the noip2 Debian package?

If so, it should indeed get orphaned.  Googling revealed:

    You should set the package maintainer to Debian QA Group
    <packages@qa.debian.org> and submit a bug report against the
    pseudo package wnpp. The bug report should be titled O: package
    -- short description indicating that the package is now orphaned.
    The severity of the bug should be set to normal. [...] send a
    copy to <debian-devel@lists.debian.org> by putting the address
    in the X-Debbugs-CC: header of the message [...]

And the bug should be fixed too, of course...

Bye,

Joost





Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Sat, 25 Dec 2010 07:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Avi Rozen <avi.rozen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Sat, 25 Dec 2010 07:42:03 GMT) Full text and rfc822 format available.

Message #49 received at 601220@bugs.debian.org (full text, mbox):

From: Avi Rozen <avi.rozen@gmail.com>
To: Joost van Baal <joostvb-debian-bugs-20101225-9@mdcc.cx>, 601220@bugs.debian.org
Subject: Re: Bug#601220: orphaning noip2? (was: Re: Bug#601220: noip2: abuse of debconf)
Date: Sat, 25 Dec 2010 09:38:19 +0200
[Message part 1 (text/plain, inline)]
On 12/25/2010 08:21 AM, Joost van Baal wrote:
> Hi,
>
> Andres Mejia wrote:
> <snip>
>   
>> this package should be orphaned.
>>     
> <snip>
>
> Is Avi Rozen no longer interested in working on the noip2 Debian package?
>   

Not really.

I'm still using no-ip.com services, but I've recently switched to using
ddclient as the update client.

As for the current bug, I'd like to point out that noip2 configuration
and runtime state has always been kept in a binary "configuration" file.
This doesn't match the Debian policy, and the current "abuse" of debconf
is the result of a our deliberate attempt to workaround it.

Cheers,
Avi

> If so, it should indeed get orphaned.  Googling revealed:
>
>     You should set the package maintainer to Debian QA Group
>     <packages@qa.debian.org> and submit a bug report against the
>     pseudo package wnpp. The bug report should be titled O: package
>     -- short description indicating that the package is now orphaned.
>     The severity of the bug should be set to normal. [...] send a
>     copy to <debian-devel@lists.debian.org> by putting the address
>     in the X-Debbugs-CC: header of the message [...]
>
> And the bug should be fixed too, of course...
>
> Bye,
>
> Joost
>
>
>
>
>   


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Sat, 25 Dec 2010 08:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joost van Baal <joostvb-debian-bugs-20101225-9@mdcc.cx>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Sat, 25 Dec 2010 08:39:03 GMT) Full text and rfc822 format available.

Message #54 received at 601220@bugs.debian.org (full text, mbox):

From: Joost van Baal <joostvb-debian-bugs-20101225-9@mdcc.cx>
To: 601220@bugs.debian.org
Cc: Avi Rozen <avi.rozen@gmail.com>
Subject: Re: Bug#601220: orphaning noip2? (was: Re: Bug#601220: noip2: abuse of debconf)
Date: Sat, 25 Dec 2010 09:37:52 +0100
[Message part 1 (text/plain, inline)]
Hi,

Op Sat 25 Dec 2010 om 09:38:19 +0200 schreef Avi Rozen:
> On 12/25/2010 08:21 AM, Joost van Baal wrote:
> > Andres Mejia wrote:
> > <snip>
> >> this package should be orphaned.
> > <snip>
> >
> > Is Avi Rozen no longer interested in working on the noip2 Debian package?
> 
> Not really.

> > If so, it should indeed get orphaned.  Googling revealed:
> >
> >     You should set the package maintainer to Debian QA Group
> >     <packages@qa.debian.org> and submit a bug report against the
> >     pseudo package wnpp. The bug report should be titled O: package
> >     -- short description indicating that the package is now orphaned.
> >     The severity of the bug should be set to normal. [...] send a
> >     copy to <debian-devel@lists.debian.org> by putting the address
> >     in the X-Debbugs-CC: header of the message [...]

> I'm still using no-ip.com services, but I've recently switched to using
> ddclient as the update client.


Jakub Wilk wrote:
>>> The only place noip2 store configuration data (apart from the debconf 
>>> cache) is a binary blob in /var/lib/noip2/. This file will be happily 
>>> overwritten on each upgrade using *only* values supplied by debconf.

> > And the bug should be fixed too, of course...

> As for the current bug, I'd like to point out that noip2 configuration
> and runtime state has always been kept in a binary "configuration" file.
> This doesn't match the Debian policy, and the current "abuse" of debconf
> is the result of a our deliberate attempt to workaround it.

As documented in Bug #430842, I just found out.  However, this still is a
serious bug.  Currently, someone who makes local changes to the content of the
configuration file /var/lib/noip2/noip2.conf by running the noip2 client will
lose her changes at an upgrade.

Currently, no-ip offers debconf support for managing username, password,
updating, matchlist, netdevice and forcenatoff.  I assume this is generally
really sufficient to use no-ip.

An extra plain text conffile needs to be introduced, and the
advice in debconf-devel(7)'s "ADVANCED PROGRAMMING WITH DEBCONF - Config file
handling" needs to be followed.  Users should be advised not to change
/var/lib/noip2/noip2.conf directly.  I believe this way one fully adheres to
http://www.debian.org/doc/debian-policy/ch-files.html#s10.7.2 .  It won't be
trivial...

Bye,

Joost

-- 
irc:joostvb@{OFTC,freenode} ∙ http://mdcc.cx/http://ad1810.com/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#601220; Package noip2. (Sat, 25 Dec 2010 10:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Avi Rozen <avi.rozen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Sat, 25 Dec 2010 10:15:03 GMT) Full text and rfc822 format available.

Message #59 received at 601220@bugs.debian.org (full text, mbox):

From: Avi Rozen <avi.rozen@gmail.com>
To: Joost van Baal <joostvb-debian-bugs-20101225-9@mdcc.cx>
Cc: 601220@bugs.debian.org
Subject: Re: Bug#601220: orphaning noip2? (was: Re: Bug#601220: noip2: abuse of debconf)
Date: Sat, 25 Dec 2010 12:11:02 +0200
[Message part 1 (text/plain, inline)]
On 12/25/2010 10:37 AM, Joost van Baal wrote:
>
>> As for the current bug, I'd like to point out that noip2 configuration and runtime state has always been kept in a binary "configuration" file.
>> This doesn't match the Debian policy, and the current "abuse" of debconf
>> is the result of a our deliberate attempt to workaround it.
>>     
> As documented in Bug #430842, I just found out.  

There's more background in bug #485725 [1]. This issue keeps coming up,
our best intentions not withstanding.


> However, this still is a
> serious bug.  Currently, someone who makes local changes to the content of the
> configuration file /var/lib/noip2/noip2.conf by running the noip2 client will
> lose her changes at an upgrade.
>
> Currently, no-ip offers debconf support for managing username, password,
> updating, matchlist, netdevice and forcenatoff.  I assume this is generally
> really sufficient to use no-ip.
>   

Well, user changes will not be lost if the user performs them via
dpkg-reconfigure. I'm not sure, however, if this is specifically
documented anywhere.

> An extra plain text conffile needs to be introduced, and the
> advice in debconf-devel(7)'s "ADVANCED PROGRAMMING WITH DEBCONF - Config file
> handling" needs to be followed.  Users should be advised not to change
> /var/lib/noip2/noip2.conf directly.  I believe this way one fully adheres to
> http://www.debian.org/doc/debian-policy/ch-files.html#s10.7.2 .  It won't be
> trivial...
>   

I was under the impression that the current situation conforms with the
debian policy, but I may be wrong.

Your suggested solution makes sense, and I agree with your assessment
that it won't be trivial to implement.

Note that noip2 already contains significant debian-specific patches, in
order to support configuration via debconf, and supporting plain a text
conffile will only add to this unhealthy situation.

In any case, I don't have the time to tackle this, and no real
motivation, since, as I mentioned, I'm quite happy using a different
update client (namely, ddclient [2]).

Thanks,
Avi



> Bye,
>
> Joost
>
>   

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485725
[2] http://packages.debian.org/search?keywords=ddclient

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Mon, 09 Jan 2012 13:33:49 GMT) Full text and rfc822 format available.

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Mon, 09 Jan 2012 13:33:54 GMT) Full text and rfc822 format available.

Message #64 received at 601220-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 353560-done@bugs.debian.org,408079-done@bugs.debian.org,601220-done@bugs.debian.org,601229-done@bugs.debian.org,610571-done@bugs.debian.org,630027-done@bugs.debian.org,610930-done@bugs.debian.org,
Cc: no-ip@packages.debian.org, no-ip@packages.qa.debian.org
Subject: Bug#653957: Removed package(s) from unstable
Date: Mon, 09 Jan 2012 13:30:00 +0000
Version: 2.1.9-4+rm

Dear submitter,

as the package no-ip has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/653957

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Feb 2012 07:36:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:29:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.