On Wednesday 26 March 2014 13:35:17 Ludwig Nussel wrote:
Sascha Peilicke wrote:
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_u ser names.txt):
_____________________________________________________________________
OSEP: XXXX Title: Informational proposal: openSUSE Distribution Daemon User and Group
Names Version: 0.1
Last-Modified: 03 Mar 2014 Author: Guido Berhoerster <gber@opensuse.org>, Ludwig Nussel
<ludwig.nussel@suse.de> Status: Draft
Type: Informational Created: 28 Feb 2014
Post-History: _____________________________________________________________________
Abstract --------
This OSEP proposes a defined pattern for unprivileged system user and group names.
Specification -------------
Packages that add unprivileged users to e.g. run daemons as need to
use names that follow the following regular expression: ^_[0-9a-z][0-9a-z_]*$
This policy is meant to be applied to all packages that are new to openSUSE Factory. Existing packages are encouraged to switch to the new policy.
This is certainly doable, though much effort would have to convince the various upstreams. We'll just win nothing if this becomes a openSUSE-specific thing.
As an example, we started to be nice citizens and prefixed all of our OpenStack package daemon users with "openstack-". We recently reverted that because one of the OpenStack sub-projects refused to support those. Since
Quite some upstream packages actually don't really care about the user names. openstack might be an exception there. I'm sure we'll always have some that can then be discused and whitelisted if needed.
we're not exactly the leading horse in the distro race, we better get some good allies (as in $OTHER_DISTROS) or this is doomed to fail.
The idea is not new, openBSD is doing this silently since ten years apparently. So don't think it's immediately doomed to fail. So far we are not syncing user naming with other distros anyways. I agree it would be nice if others would adopt this policy too though.
I'm open to it, if we want to repeat what we seem to have reached with spdx.org, we should talk to people involved in that discussion and see how we can reach a broad audience and consensus across distros before starting it. -- Viele Grüße, Sascha Peilicke -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org