Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/12/21 5:45 PM, Neal Gompa wrote:
On Tue, Oct 12, 2021 at 11:33 AM Ben Cotton <bcotton@xxxxxxxxxx> wrote:

=== 1. It is difficult to deliver updates to configurations ===
FIles /etc/nsswitch.conf and /etc/pam.d/* are distributed as
%config(noreplace) which means that they are configuration files and
are only installed if they are not yet present. If they are present
then they are never overwritten with package updates, instead an
*.rpmnew file is created and the update responsibility is left
completely to the user.

It is done this way to prevent overwriting user changes
configurations. But at the same time it means that even configurations
that are not modified by the users can not be changed so we can not
deliver fixes and changes efficiently.

It is only possible through difficult scriptlets. As an example, we
can show this bugzilla where a change in Gnome required an update to
PAM otherwise the user could not authenticate. Delivering the change
was easy with authselect, but difficult for non-authselect systems.

Authselect already knows how the resulting configuration should look
and does not risk overriding user configuration. Making it mandatory
will help distribute important updates to nsswitch and PAM
configuration.


PAM gained support for systemd-style overlay configuration some time
ago. Actually a number of core system components did, if the libeconf
dependency is turned on. Instead of forcing authselect, we should
probably make sure base functional configuration is shipped in
something like /usr/share/pam/pam.d or something like that.

This way, it would be possible to update the *default* configuration. If the configuration is modified (e.g. added fingerprint support) the user config won't be updted, but still possible with authselect.

Packages would still have to use difficult scriptlets to enable/disable their modules. With authselect, they can just call "authselect enable-feature with-fingerprint" and fingerprint will be enabled if the profile supports it.

Note: imho packages should not do these kind of changes and rather explain how to enable modules in documentation, but they are doing it.


Not that I think authselect is bad, but I think it's a bad hammer to
solve this problem.




--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux