[collectd] Bug#631167: On purge, deletes RRD databases without prompting.

Sebastian Harl tokkee at debian.org
Wed Jan 11 19:25:00 CET 2012 

severity 631167 important

Hi,

sorry for not coming back on this earlier. This has bugged me for quite
a bit now and I'm not sure at all how to handle this. I've talked to a
few people about this but we could not reach any consensus so far.

On Tue, Jun 21, 2011 at 11:33:41AM +1000, Trent W. Buck wrote:
> Recently I "apt-get remove collectd-core" and manually installed
> collectd for its git repo.  Later, I found that /etc/collection.conf
> was still around, so I did "dpkg -P collectd-core".  To my surprise, I
> found that collectd-core's postrm purge script deletes, WITHOUT ANY
> PROMPTING OR WARNING, all my rrd databases and collectd configuration.

Removing configuration files on "purge" is mandated by policy [1].
However, policy does not talk about anything else (besides log files
which should be removed as well) in that respect. *Imho*, "purge" is
meant to be "remove any trace of the package in question" which includes
generated data as well. Anyway, for now I'm downgrading the severity of
this bug, since there is no clear requirement for any behavior.

> This is *not cool*.  I suppose it's reasonable to clean up /var/lib
> after oneself, but collectd-core should follow the example of RDBMSs
> and ask the user (via debconf) for confirmation before doing so.

This is not handled consistently across different RDBMSs: while MySQL
prompts the user (and defaults to "keep the data") PostgreSQL
unconditionally removes all databases on "purge" as well.

I haven't found a respective bug report against PostgreSQL but there is,
for example, #535577 [2] without a clear consensus. That bug points to a
(draft?) of a database policy [3]. The latter talks about "a package
should consider databases in a spirit similar to configuration files or
log files" (i.e. remove) but at the same time recommends "that the
administrator is prompted with a chance to preserve the data before
doing so". However, it does not differentiate between "remove" and
"purge".

Anyway, prompting the user in case of purging databases seems to be a
commonly accepted behavior. I currently tend to prompt the user on
"purge" using a debconf question of priority "high" but default to
remove the data. This seems like the best approach to me; taking into
account the arguments of both sides. Also, imho, that's in the spirit of
"with a chance to preserve the data" as mentioned above.

Does that sound reasonable to you?

I've Cc'ed the collectd mailing list, hoping for some more user
feedback.

Cheers,
Sebastian

[1] <http://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-removedetails>
[2] <http://bugs.debian.org/535577>
[3] <http://people.debian.org/~seanius/policy/dbapp-policy.html/ch-dbapps.html#s-installationissues>

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20120111/f4af0f67/attachment.pgp>

More information about the collectd mailing list