Sascha Peilicke wrote:
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user names.txt):
_____________________________________________________________________ OSEP: XXXX Title: Informational proposal: openSUSE Distribution Daemon User and Group Names Version: 0.1 Last-Modified: 03 Mar 2014 Author: Guido Berhoerster <gber@opensuse.org>, Ludwig Nussel <ludwig.nussel@suse.de> Status: Draft Type: Informational Created: 28 Feb 2014 Post-History: _____________________________________________________________________
Abstract --------
This OSEP proposes a defined pattern for unprivileged system user and group names.
Specification -------------
Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
This policy is meant to be applied to all packages that are new to openSUSE Factory. Existing packages are encouraged to switch to the new policy.
This is certainly doable, though much effort would have to convince the various upstreams. We'll just win nothing if this becomes a openSUSE-specific thing.
As an example, we started to be nice citizens and prefixed all of our OpenStack package daemon users with "openstack-". We recently reverted that because one of the OpenStack sub-projects refused to support those. Since
Quite some upstream packages actually don't really care about the user names. openstack might be an exception there. I'm sure we'll always have some that can then be discused and whitelisted if needed.
we're not exactly the leading horse in the distro race, we better get some good allies (as in $OTHER_DISTROS) or this is doomed to fail.
The idea is not new, openBSD is doing this silently since ten years apparently. So don't think it's immediately doomed to fail. So far we are not syncing user naming with other distros anyways. I agree it would be nice if others would adopt this policy too though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org