Suricata

What .deb are those?

https://launchpad.net/~oisf/+archive/ubuntu/suricata-beta <- those

These are meant to be a drop in replacement for the ones packaged by Ubuntu (which bases them on Debian), so they support what the Debian maintainers have created. It's only used by the packages init script, so you can bypass it easily.

I've failed to parse previous comment. Could you please reformulate that into simpler English?

This bug is not about preferred default values - it's about the fact that those values are configurable through 2 (!) completely separate files with unclear preference with regards to each other. Would be much more clear if it were only 1 single file where I have to change whatever is default without bothering to look someplace else.

Suggestions for addressing this are always welcome for feedback.

Simple really: kill all the option in /etc/default/suricata which have their equivalent in /etc/suricata/suricata.yaml
Having multiple locations to configure the same thing does not add "flexibility" - it adds confusion by violating single-source-of-truth principle.

Personally I would just remove /etc/default/suricata completely, although I guess leaving there RUN, RUN_AS_USER and SURCONF would suit most people.

The reason it's there is that Debian package (the one the debian project maintains) has it. Ubuntu thus also has it (they take it from Debian). As Ubuntu has it, we have it too in our PPA. This is because the goal of the PPA is to provide a seamless upgrade path from the distro-versions.

The file is only used by the init script, not by suricata itself.

So, wouldn't having the same file with minimal number of options (even simple RUN=yes would do) suffice for upgrade path?

I don't see how. The default file determines IPS vs IDS mode for example. So we couldn't leave that out.