Mailinglist Archive: opensuse (1352 mails)

< Previous Next >
[opensuse] Suse random development practice (was Re: Problem with suid pgms on Leap-15.0)
Andrei Borzenkov wrote;
This appears to be local SUSE patch which additionally resets
supplementary groups. There is not much info in changelog and OBS is not
entirely helpful in browsing historical versions either, but for all I
can tell patch is quite old. Behavior is present in Leap 42.3 already.
---
Why does opensuse allow this nonsense?

Someone up and applies a patch without it being documented
very well and don't even bother to update the associated manpages.
Then people wonder why things break randomly. I've heard
from people outside of suse, years ago, that open suse's releases
were known to have little documented and little known patches that
caused O.S. built binaries to not behave as the same programs on other
OS's. To the point that opensuse had a reputation for having flakey
behaviors in their programs.

I didn't know what to say when I heard this, AFAIKnew it
was FUD, but I've seen more than one patch like this -- with little
justification or documentation. The problem is, that some of them, like this one, affect security. This makes me more than a little
less trusting of open-suse patched binaries when it comes to compatibility
and documented security behaviors.

I ran into a similar attitude that repurposed a pam file for
setting the environment once/login session to once per suse-session initialization. Problem was, they aren't the same -- critical security
information like how the original logged-in user logged into the system
was thrown away (with a side effect of killing a remote display due
to the remote host no longer being known). I was told suse was
repurposing this for their own session usage and my original usage as documented in the module notes, was no longer important/relevant or
whatever.

I could enumerate more issues that fit the same pattern, but it seems like someone "in charge" of a program can make changes pretty
much however they see fit. Many times over past versions many of these
changes cause innumerable problems that are very hard to track down, because no one expects changes of this type -- making such changes lightly
would be too likely to cause incompatiblities with other
people's usage. On the pam issue I asked why they couldn't fork the
module under a new name for suse's session definition use. Nah, not worth it was basically the message I got.
Many of those issues I did file bugs on only to have the bug
rejected.
What's amusing is that on visible things, I'll be told suse stays well behind the curve so as to not cause incompatibilities --
meaning it's only little changes that are not that visible that get
changed leaving someone to wonder what happened, and if it will be
fixed before some 2-3 year time period is passed and the version they
filed it against is no longer supported.

I don't know the fix, but it seems like a problem not likely to engender trust and confidence when encountering problems --
especially in things that "used to work".

I doubt things can change, it seems to easy to add changes
like this, under-the-radar -- which again, seems to be pointing to
a huge potential for security issues either accidently or otherwise.





--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >