From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C6A46138350 for ; Thu, 13 Feb 2020 01:32:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D824EE081B; Thu, 13 Feb 2020 01:32:46 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8AC26E0817 for ; Thu, 13 Feb 2020 01:32:46 +0000 (UTC) Received: from [IPv6:2001:4dd4:2014:0:9098:2ad9:e5a1:caf4] (2001-4dd4-2014-0-9098-2ad9-e5a1-caf4.ipv6dyn.netcologne.de [IPv6:2001:4dd4:2014:0:9098:2ad9:e5a1:caf4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: whissi) by smtp.gentoo.org (Postfix) with ESMTPSA id 6AAE034EC4A for ; Thu, 13 Feb 2020 01:32:44 +0000 (UTC) Subject: Re: [gentoo-dev] Changes made by acct-* ebuilds To: gentoo-dev@lists.gentoo.org References: <6A29F6A2-AA53-4B7A-A24A-6639993ABD17@chead.ca> From: Thomas Deutschmann Organization: Gentoo Foundation, Inc Message-ID: <94cb2207-5c04-59bc-e322-69151ebd7ba7@gentoo.org> Date: Thu, 13 Feb 2020 02:32:35 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/68.4.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <6A29F6A2-AA53-4B7A-A24A-6639993ABD17@chead.ca> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uef6QPEG9G05se77mDmW0ME8P9qOIXbhK" X-Archives-Salt: 2f01fec2-2c95-48df-8f2f-62cf1f1022c9 X-Archives-Hash: 65fb24152b3f5ded3a5c7097dead595e This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uef6QPEG9G05se77mDmW0ME8P9qOIXbhK Content-Type: multipart/mixed; boundary="JhSJI0jjuaoZt5SaIeP0OBezhwZ3Z2kGu" --JhSJI0jjuaoZt5SaIeP0OBezhwZ3Z2kGu Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi, thank you for bringing this to the list. I have the same experience which is the reason why I haven't migrated most of my packages yet (which is not a good move because I also didn't post the problem to the list like I wanted *yet*, I only talked to people via private mail, chat or at FOSDEM about that and was working on a proposal I wanted to show next week when I am hopefully healthy again).= In short: It was a very bad decision that acct-* stuff is *changing* existing stuff. This must be turned of *by default*. Maybe provide a setting a user can put into make.conf to opt into current, still new, behavior but by default, a package should never ever make changes to *existing* user (unless it knows for sure it was the only source creating that user and nothing was changed since creation which isn't easy to track). My example is a little bit different: Please think about all the systems which are managed using some kind configuration management tool (Puppet, Ansible, Salt, Chef...). It's really common and there's is nothing wrong to make use of usermod for example to alter users. All of the tools I mentioned have 'templates' (=3Dready to use scripts to set up common software) which will make use o= f things like usermod. The problem: You never expect that something in the OS will get rid of your changes and will revert to something the package manager believes should be the default. In environments where you only have to deal with Gentoo, we maybe have created something *new* which allows for new possibilities, see https://wiki.gentoo.org/wiki/OpenDKIM#The_new_way However, this is very bad: Configuration management tools are common these days. While we also have systemd which helps at least to provide some kind of interface allowing user to set timezone, time sychonization, hostname and other general settings the same way across different distribution, configuration management tools are also an abstraction layer: You write 'recipes' or 'playbooks', describe 'states' in a general language and the used cfm tool will know all the implementation details. So in the end it doesn't matter if you apply your configuration against Debian, Fedora, RHEL or Gentoo -- the system you run your code against should be in the described state after all. That's at least the idea ;-) Thanks to the new way how we manage user in Gentoo that's no longer the case: Suddenly you cannot use basic tools like usermod to make changes to users anymore because you cannot be sure that these settings won't be reverted. Also, the idea to create *packages* to represent user configuration doesn't scale. I already outlined that issue in [1]. Simple example: You have two services (SerivceA and ServiceB) both using the same package (say www-servers/nginx). We are talking about something like 'real application server'. While you can overwrite user/group via ebuild once, you can't do it multiple times for *different* roles. Especially when you have to deal with some kind of 'dynamic' stuff (see the Jenkins' discussion). Creating your own acct-* repository *per role* can't scale (aside the fact that it will be impossible to tell user, "Yeah... for Gentoo you just cannot use 'append user X to group sudo' syntax you use in your cfm tool. Instead you have to fork acct-group/sudo and put user into that ebuild and ensure that this version is installed). Also, don't forget about servers executing multiple roles at the same time: It's easier to describe something like "Make sure user X is in group Y" vs. making sure you have that single acct-* ebuild creating user X or group Y with everything you ever need right from the beginning. tl;dr We need to change current acct-* eclasses to not change things (i.e. not changing home, groups...). At least if user/group were created/modified outside of PM. See also: =3D=3D=3D=3D=3D=3D=3D=3D=3D [1] https://archives.gentoo.org/gentoo-dev/message/05c9b211eb18012d16302194a7= bc37e6 --=20 Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 --JhSJI0jjuaoZt5SaIeP0OBezhwZ3Z2kGu-- --uef6QPEG9G05se77mDmW0ME8P9qOIXbhK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEEExKRzo+LDXJgXHuURObr3Jv2BVkFAl5EpzdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDEz MTI5MUNFOEY4QjBENzI2MDVDN0I5NDQ0RTZFQkRDOUJGNjA1NTkACgkQRObr3Jv2 BVn1ewf/cEx03LaI874crgLVVjlxWWW7Sjbu1ZeBz9Fj3zspIlmt+j38+yBAaOIl gfTJ5PPc6m947LkRB5JfvV1LJqRYFYQCf1N9vffw4/I8S+kx54AXiNVEXpwKAoyv hCBoy0YgXFw4fRNin+ZFPJ/72+pwVaCyATimPGKOHV0SCw8wABFXmIE8a25vQJqO Nm9JhIcs+ggPf0lNPfY1wiCqPJACzZ/l0iOe6L60BztptJl9gs40Qg31aujOeDZv 6U4uTr02lxeFH1E4Sw8mesjqMYBNPlLttMZ28hQ6/t7c8iwxtjRIryHw5G7BrDD9 OJdgfX+WAJEdzdaZshIvc1h2Nl4G2w== =ple9 -----END PGP SIGNATURE----- --uef6QPEG9G05se77mDmW0ME8P9qOIXbhK--