On Monday, June 26, 2023 2:47:01 PM EDT Peter Robinson wrote: > On Thu, Jun 22, 2023 at 5:15 PM Aoife Moloney <amoloney@xxxxxxxxxx> wrote: > > > > > > https://fedoraproject.org/wiki/Changes/LibuserDeprecation > > > > > > > > > > This document represents a proposed Change. As part of the Changes > > process, proposals are publicly announced in order to receive > > community feedback. This proposal will only be implemented if approved > > by the Fedora Engineering Steering Committee. > > > > > > > > > > == Summary == > > > > > > > > Libuser is not actively developed. Most of the depending component > > have build-time option to work without libuser. > > > > > > > > == Owner == > > > > > > > > * Name: [[User:THalman| Tomas Halman]] > > > > > > > > * Email: <thalman@xxxxxxxxxx> > > > > > > > > > > == Detailed Description == > > > > > > > > The libuser provides library and command line utilities to manipulate > > user and group information. The purpose of the library > > is/was to hide the differences between users in LDAP and files in etc > > (passwd, groups...). The support for LDAP > > is not complete and there is no plan to extend the functionality. > > > > > > > > The LDAP integration in Fedora is nowadays done by SSSD. > > > > > > > > In the past, the libuser was used by more component including Fedora > > installer. Currently the list is short > > > > > > > > * usermode (Requires development, it is not complicated but the > > dependency is unconditional) > > * util-linux (compile time option) > > * passwd (I suggest to ship passwd utility from shadow-utils instead > > of passwd and drop passwd package as well) > > > Has the maintainer of the passwd utility been engaged about this > suggestion? Is there a difference in functionality between the two > variants of passwd? Yes, there is at least one difference that I know of. The one from passwd is SELinux aware. I think that the threat it is defending against is root being a shared account. You can have web admin, db admin, security officer, and other roles. You do not want someone in one of these roles to be able to change the root password and take over / block other admins. If you run in the unconfined domain, then you would never know it's there. It's when you actually use roles that you bump into this. -Steve > > == Feedback == > > > > > > > > > > == Benefit to Fedora == > > > > > > > > The main benefit is to decrease the maintenance and packaging work on > > library that does not bring much value while the functionality is > > provided by another components. > > > > > > > > == Scope == > > * Proposal owners: Dropping the package, move it to EPEL eventually > > > > > > > > > > * Other developers: > > > > > > > > ** Update usermode code to make libuser dependency configurable. > > ** Update usermode packaging to compile it without libuser > > ** Change packaging of util-linux to compile without libuser dependency > > ** Change packaging of shadow-utils to provide passwd utility > > > > > > > > > > * Release engineering: [https://pagure.io/releng/issue/11492] > > > > > > > > Libuser is part of base image and must be removed. IMO mass rebuild is > > not required. > > > > > > > > > > * Policies and guidelines: Since this is about dropping packages > > release notes must be updated. > > > > > > > > > > * Trademark approval: N/A (not needed for this Change) > > > > > > > > * Alignment with Community Initiatives: N/A > > > > > > > > > > == Upgrade/compatibility impact == > > > > > > > > People who used libuser to manipulate users in LDAP will have to move to > > SSSD. > > > > > > > == How To Test == > > > > > > > > 0. no special hardware needed > > 1. remove libuser, passwd, install new shadow-utils, usermod and > > util-linux 2. try to change password of some user > > 3. try to modify user using usermod > > 4. expected results: everything works normally > > > > > > > > == User Experience == > > This change should not be visible for users. > > > > > > > > > > > > == Dependencies == > > > > > > > > > > * usermod (code modification, packaging to drop libuser dependency) > > * shadow-utils (packaging to provide passwd utility > > * util-linux (packaging to drop libuser dependency) > > * passwd (drop package) > > > > > > > > == Contingency Plan == > > > > > > > > * Contingency mechanism: Revert the shipped configuration > > * Contingency deadline: final development freeze > > * Blocks release? No > > > > > > > > == Documentation == > > > > > > > > There is no extra documentation for this change except release notes. > > > > > > > > == Release Notes == > > > > > > > > > > > > > > > > -- > > Aoife Moloney > > > > > > > > Product Owner > > > > > > > > Community Platform Engineering Team > > > > > > > > Red Hat EMEA > > > > > > > > Communications House > > > > > > > > Cork Road > > > > > > > > Waterford > > _______________________________________________ > > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > > Archives: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject. > > org Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxx > g Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
