[Bug 434693] Re: [MIR] ec2-init

Martin Pitt martin.pitt at ubuntu.com
Wed Sep 23 11:15:42 UTC 2009 

Can you please fix these lintian warnings? Should be quite easy.

W: ec2-init: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL
W: ec2-init: init.d-script-missing-lsb-section /etc/init.d/rightscale-init
E: ec2-init: init.d-script-does-not-implement-required-option /etc/init.d/rightscale-init restart
E: ec2-init: init.d-script-does-not-implement-required-option /etc/init.d/rightscale-init force-reload

Also, some init scripts use echo instead of the lsb_* functions. This
really ought to be fixed first.

debian/ec2-init.rightscale-init.init looks questionable and also has some security issues:
 - Uses static file names without further checks in /tmp, allowing symlink attacks
 - Calls apt-get update/install in an init script, which is really not the way things work: please just make those dependencies
 - wgets and installs third-party software (http://rubyforge.org/frs/download.php/45905/rubygems-1.3.1.tgz) without any further checks (signatures, checksums, etc.)
 - uses /opt/ which distro packages must not touch
 - calls lsb_release without depending on it
 - changes apt sources without further checks or questions
 - assumes that there is an "ubuntu"  user and mucks around in /home. Ubuntu packages must not touch /home.

By and large, this is totally inappropriate as an init script. Setup
should be run in postinst, Ubuntu packages should be pulled in as
dependencies, and automatically installing third-party packages subverts
our trust chain and packaging policy. Please just package the gem and
depend on it.

Likewise, ./ec2-init calls regenerate_ssh_host_keys() if ec2-wait-for-
meta-data-service() succeeds. Can the latter ever succeed on a non-ec
setup? It must not ever, ever, ever change host keys on a normal system.

Packages shuold be installable on a normal system without wreaking
havoc. Especially those which have a totally inconspicuous package
description like ec2-init. Please at least change the package
description to say "THIS IS NOT THE PACKAGE YOU WANT!!!!11!!!", or
(preferably)  make it inert on a normal system.

Please don't get yourself sucked into the deep black hole that automatix
was. Perhaps this isn't appropriate as a package at all, but rather
should be an installer-like script on its own, much like ubuntu-vm-
builder. Then it can build its own chroot and bang on it as it wants,
without endangering normal Ubuntu installations which apt-get install
this package?

** Changed in: ec2-init (Ubuntu)
       Status: New => Incomplete

-- 
[MIR] ec2-init
https://bugs.launchpad.net/bugs/434693
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list