On Sat, Mar 10, 2007 at 11:25:09AM +0100, Thorsten Leemhuis wrote: > Axel Thimm schrieb: > >> Can somebody *please* show me two detailed examples where using > >> fedora-usermgmt in a package does something bad/odd on peoples > >> systems in the default install (e.g. in case the admin didn't set it > >> up)? tia! > > Please, there are two infinite threads with examples and arguments in > > them. > > Then I missed them. Please point me two two detailed example that I can > play around with here to understand the problems better. > > > [...] > >>> So, how about vetoing instead of branching? > >> I still fail to see why. These seems to be a lot of FUD around. > > Can you give me two examples of FUD? > > No, because I said, "seems" -- In other words: I am unsure, and that's > why I'm asking for detailed examples. Of the top of my head, there are more in the thread, feel free to setup a wiki page: a) package A and B assume the user foo is at base+42. System installs A, admin configures fedora-usrmgmt, system install B => desynced uid assertion b) same as above, only that now thge admin wasn't "sloppy", but anaconda installed A. c) Admin buys fedora-usrmgmt "feature" set and *relies* on keeping foo the same across all his systems, forgets to configure system 23 after the bare bone installation, uids get mixed, possibly exposing sensitive information under another uid. d) Packager buys fedora-usrmgmt "feature" and relies on the fixed/semi-fixed approach, but is not aware that on almost 100% of user deployment noone has configured fedora-usrmgmt and therefore fedora-usrmgmt is just plain old useradd. so he tests with different assertions and the package fails on the tyopical user deployment. The method is fragile to say the least, and requires iron discipline form the admin with no room for errors. This does not surface in real life, because this method is *unused* by any package, which means that no package really relies on fixed/semi-fixed uids. So with fedora-usrmgmt we deliver a small bomb, and fortunately 99.99% of the users don't know how to arm it. Packages that use it are probably owned by the same author that wrote fedora-usrmgmt or are from the hype era of fedora-usrmgmt or are from packagers that searched for user management in the wiki and all thy could find was fedora-usrmgmt. User management is delicate and fedora-usermgmt is not the way to go. -- Axel.Thimm at ATrpms.net
Attachment:
pgp8zvv1FMGUP.pgp
Description: PGP signature