On 10/12/21 5:45 PM, Neal Gompa wrote:
On Tue, Oct 12, 2021 at 11:33 AM Ben Cotton <bcot...@redhat.com> wrote:
=== 1. It is difficult to deliver updates to configurations ===
FIles /etc/nsswitch.conf and /etc/pam.d/* are distributed as
%config(noreplace) which means that they are configuration files and
are only installed if they are not yet present. If they are present
then they are never overwritten with package updates, instead an
*.rpmnew file is created and the update responsibility is left
completely to the user.
It is done this way to prevent overwriting user changes
configurations. But at the same time it means that even configurations
that are not modified by the users can not be changed so we can not
deliver fixes and changes efficiently.
It is only possible through difficult scriptlets. As an example, we
can show this bugzilla where a change in Gnome required an update to
PAM otherwise the user could not authenticate. Delivering the change
was easy with authselect, but difficult for non-authselect systems.
Authselect already knows how the resulting configuration should look
and does not risk overriding user configuration. Making it mandatory
will help distribute important updates to nsswitch and PAM
configuration.
PAM gained support for systemd-style overlay configuration some time
ago. Actually a number of core system components did, if the libeconf
dependency is turned on. Instead of forcing authselect, we should
probably make sure base functional configuration is shipped in
something like /usr/share/pam/pam.d or something like that.
This way, it would be possible to update the *default* configuration. If
the configuration is modified (e.g. added fingerprint support) the user
config won't be updted, but still possible with authselect.
Packages would still have to use difficult scriptlets to enable/disable
their modules. With authselect, they can just call "authselect
enable-feature with-fingerprint" and fingerprint will be enabled if the
profile supports it.
Note: imho packages should not do these kind of changes and rather
explain how to enable modules in documentation, but they are doing it.
Not that I think authselect is bad, but I think it's a bad hammer to
solve this problem.
--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
