Re: F39 Change Proposal: LibuserDeprecation (System Wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday, June 22, 2023 12:14:28 PM EDT Aoife Moloney wrote:
> https://fedoraproject.org/wiki/Changes/LibuserDeprecation
> 
> 
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering Committee.
> 
> 
> == Summary ==
> 
> Libuser is not actively developed. Most of the depending component
> have build-time option to work without libuser.

I'm all for dropping things to reduce attack surface, but the passwd, shadow, 
group, and gshadow files have not really changed in forever. Just saying...


> == Owner ==
> 
> * Name: [[User:THalman| Tomas Halman]]
> 
> * Email: <thalman@xxxxxxxxxx>
> 
> 
> == Detailed Description ==
> 
> The libuser provides library and command line utilities to manipulate
> user and group information. The purpose of the library
> is/was to hide the differences between users in LDAP and files in etc
> (passwd, groups...). The support for LDAP
> is not complete and there is no plan to extend the functionality.
> 
> The LDAP integration in Fedora is nowadays done by SSSD.
> 
> In the past, the libuser was used by more component including Fedora
> installer. Currently the list is short
> 
> * usermode (Requires development, it is not complicated but the
> dependency is unconditional)
> * util-linux (compile time option)
> * passwd (I suggest to ship passwd utility from shadow-utils instead
> of passwd and drop passwd package as well)

passwd has the distinction of being one of the only selinux userspace object 
managers. Might want to check if we lose anything with that switch. I also 
have not audited the code in shadow-utils version of passwd where the one we 
are using now has been audited several times.

-Steve
 

> == Feedback ==
> 
> 
> == Benefit to Fedora ==
> 
> The main benefit is to decrease the maintenance and packaging work on
> library that does not bring much value while the functionality is
> provided by another components.
> 
> == Scope ==
> * Proposal owners: Dropping the package, move it to EPEL eventually
> 
> 
> * Other developers:
> 
> ** Update usermode code to make libuser dependency configurable.
> ** Update usermode packaging to compile it without libuser
> ** Change packaging of util-linux to compile without libuser dependency
> ** Change packaging of shadow-utils to provide passwd utility
> 
> 
> * Release engineering: [https://pagure.io/releng/issue/11492]
> 
> Libuser is part of base image and must be removed. IMO mass rebuild is
> not required.
> 
> 
> * Policies and guidelines: Since this is about dropping packages
> release notes must be updated.
> 
> 
> * Trademark approval: N/A (not needed for this Change)
> 
> * Alignment with Community Initiatives: N/A
> 
> 
> == Upgrade/compatibility impact ==
> 
> People who used libuser to manipulate users in LDAP will have to move to
> SSSD.
 
> == How To Test ==
> 
> 0. no special hardware needed
> 1. remove libuser, passwd, install new shadow-utils, usermod and
> util-linux
 2. try to change password of some user
> 3. try to modify user using usermod
> 4. expected results: everything works normally
> 
> == User Experience ==
> This change should not be visible for users.
> 
> 
> 
> == Dependencies ==
> 
> 
> * usermod (code modification, packaging to drop libuser dependency)
> * shadow-utils (packaging to provide passwd utility
> * util-linux (packaging to drop libuser dependency)
> * passwd (drop package)
> 
> == Contingency Plan ==
> 
> * Contingency mechanism: Revert the shipped configuration
> * Contingency deadline: final development freeze
> * Blocks release? No
> 
> == Documentation ==
> 
> There is no extra documentation for this change except release notes.
> 
> == Release Notes ==
> 
> 
> 
> 
> 
> -- 
> Aoife Moloney
> 
> Product Owner
> 
> Community Platform Engineering Team
> 
> Red Hat EMEA
> 
> Communications House
> 
> Cork Road
> 
> Waterford
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
> Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
> Archives:
> https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxx
> g Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue



_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux