Hello, I would recommend a change to the testing description. See below... On Tuesday, December 24, 2024 11:01:11 AM EST Aoife Moloney via devel- announce wrote: > Wiki - https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers > Discussion thread - > https://discussion.fedoraproject.org/t/f42-change-proposal-rpm-support-for-> systemd-sysusers-d-system-wide/140621 > This is a proposed Change for Fedora Linux. > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > == Summary == > RPM supports creating users and groups according to configuration > provided in sysusers.d snippets shipped in package payload. > > The goal of the proposal is to fully integrate this RPM functionality in > Fedora. > == Owner == > * Name: Michal Sekletar, Zbigniew Jędrzejewski-Szmek, Panu Matilainen > * Email: msekleta@xxxxxxxxxx, zbyszek@xxxxxxxxx, pmatilai@xxxxxxxxxx > > > == Detailed Description == > This proposal consists of two parts. The first is to make sure that > rpm functionality is fully enabled in Fedora. The second is to update > packaging guidelines and raise awareness about the new simpler user > creation method for rpm packages. The goal is a fully declarative > system user and group management in all RPMs. Over time we should be > able to drop all manual `useradd`/`groupadd` invocations or use of > `%sysusers_create_compat` macro in rpm scriptlets. > > Support for sysusers was added in rpm 4.19.0. Support for group > membership (`m` lines) was added in rpm 4.20.0. Support for > locked-down users (`u!` lines) was added for rpm 4.21.0. The rpm > package has patches to disable user/group creation > ([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.18.92-disable > -sysusers.patch > rpm-4.18.92-disable-sysusers.patch]) and make user/group > dependencies weak > ([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.19.91-weak-u > ser-group.patch rpm-4.19.91-weak-user-group.patch]). > > == Feedback == > [https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxx > g/thread/IKWECWMBWN2IDKLHK3Q2TZKVSVFTXUNA/#U4BF4ETCFNMMXY6NGRV5Y7ABTZDXQYNY > | Discussion] about idea to submit the proposal on fedora-devel list. > == Benefit to Fedora == > * Declarative system user and group management by packages > * Potential for spec file simplification, concretely, removal of > relevant part of %pre scripts in some packages. > * Ability to query what user and groups are provided by given package > as well as ability to have dependencies on users/groups from different > packages. > * Make use of native rpm functionality in favor of current > %sysusers_compat_create. > > == Scope == > * Proposal owners: > ** Change rpm so that it generates hard dependency between packages A > and B in case B depends on user or group provided by package A. Rpm > currently has downstream patch so that only weak dependencies are > generated. > ** Make sure that previous change in rpm doesn't cause package > dependency loops during system installation. > ** Work on fix for shadow-utils so that useradd and groupadd work > correctly in chroot on SELinux enabled systems (shadow-utils > [https://github.com/shadow-maint/shadow/issues/940| issue].) > * Other developers: > ** We would welcome any help with shadow-utils > [https://github.com/shadow-maint/shadow/issues/940| issue]. > > * Release engineering: N/A (not needed for this Change) > * Policies and guidelines: N/A (not needed for this Change) > * Trademark approval: N/A (not needed for this Change) > * Alignment with the Fedora Strategy: > > > == Upgrade/compatibility impact == > There is no upgrade/compatibility impact. > > == How To Test == > * Select rpm package that creates system user/group account in %pre > * Remove part of %pre scriptlet that handles user/group creation > * Create equivalent > [https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html| > sysusers.d] configuration file and ship it as part of rpm payload > under /usr/lib/sysusers.d/. > * Rebuild the package > * Verify that package has been built correctly and it has rpm provides > for installed user account and group (e.g. `user(foo) = > ABUNCHOFHEXHERE`, `group(bar) = ADIFFERNTBUNCHOFHEXHERE`). Use `rpm > -qP $package | awk '/(user|group)\(/ {print $3}' | base64 -d` and > check that the output looks reasonable. > * Verify that you can install the package and installed files have > correct ownership. * Verify that audit events exist for user and group creation: ausearch --start recent -i -m 'ADD_USER,USER_MGMT,USER_CHAUTHTOK,ROLE_ASSIGN,ROLE_REMOVE,DEL_USER,ADD_GROUP,GRP_MGMT,GRP_CHAUTHTOK,DEL_GROUP' * Remove the package and verify audit events exist for account and group deletion (see above ausearch command). -Steve > == User Experience == > There shouldn't be any user observable change to previous state. > Potential packaging related benefits are mostly of interest to package > maintainers. > > == Dependencies == > None > > == Contingency Plan == > * Contingency mechanism: If we are not confident by mass-rebuild that > we can deliver the feature we will postpone its delivery to later > Fedora release. There are no explicit rollback/cleanup actions that > need to taken. > * Contingency deadline: Mass Rebuild of RPMs on Wed 2025-01-15. > * Blocks release? No > > == Documentation == > [https://github.com/rpm-software-management/rpm/blob/master/docs/manual/use > rs_and_groups.md#users-and-groups| sysusers.d support in RPM]. > > == Release Notes == > N/A > > -- > Aoife Moloney > > Fedora Operations Architect > > Fedora Project > > Matrix: @amoloney:fedora.im > > IRC: amoloney > -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
