On Mi, 09.10.24 12:56, Pavel Březina (pbrezina@xxxxxxxxxx) wrote: > Hi Fedora, > nss-altfiles is not currently part of the default installation and can be > optionally added to nsswitch.conf via authselect's with-altfiles. > > This however breaks ostree composes since it uses and requires alltfiles to > provide system users. This is handled in authselect spec file that tinkers > with the shipped profiles and hardcodes altfiles to the configuration. [1] > It works as expected. > > Downside is that the authselect content we ship is different for ostree > systems and standard composes. > > There is also an issue with bootc. Authselect have to be part of the source > bootc image, if it is installed later by dnf, it does not work because there > is no /run/ostree-booted during container image build time. This, however, > does not really affect Fedora 38+ since authselect is required by pam and > part of default installation. It may affect other distributions though. > > Unless there is some push back, I would like to change authselect to require > nss-altfiles and hardcode altfiles in nsswitch.conf for everyone and finally > get rid of this duality. > > Are there any strong opinions? Hmm, so I'd advise against this for now. There's work ongoing to allow glibc to read NSS databases directly from /usr/: https://sourceware.org/pipermail/libc-alpha/2024-September/160272.html (thread continues into the next month, might need to click around in the archive) While this has different semantics compared to nss-altfiles (the native glibc logic would use only one version of the database, while nss-altfiles combines if both exist), but at the very least there seems to be some discussion that is still ongoing on how this should look like in the end, and particular what the right paths are to use for the 2nd copy. I'd recommend to wait for this discussion to be resolved. Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue