[opensuse-factory] OSEP: openSUSE Distribution Daemon User and Group Names
Hello, after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated. Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...): _____________________________________________________________________ OSEP: XXXX Title: Informational proposal: openSUSE Distribution Daemon User and Group Names Version: 0.1 Last-Modified: 03 Mar 2014 Author: Guido Berhoerster <gber@opensuse.org>, Ludwig Nussel <ludwig.nussel@suse.de> Status: Draft Type: Informational Created: 28 Feb 2014 Post-History: _____________________________________________________________________ Abstract -------- This OSEP proposes a defined pattern for unprivileged system user and group names. Specification ------------- Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression: ^_[0-9a-z][0-9a-z_]*$ This policy is meant to be applied to all packages that are new to openSUSE Factory. Existing packages are encouraged to switch to the new policy. An exception are legacy users with a static uid as created on first installation by aaa_base, like e.g. 'root' or 'nobody'. Motivation ---------- Many packages need to add user and group names for their unprivileged daemons. Currently openSUSE Factory has a known lists of more than 130<<A>> such daemon user names. Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since there is no separate name space for system users those names may collide with names of real persons. A common pattern for user names on unix systems also is to combine letters of the given names and the surname which may lead to combinations that may also collide with system user names. Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa. Since introducing a separate namespace is not possible in the current name service model, separating system users and real users must be done by naming them differently. Rationale --------- A special prefix or suffix to user names is a straight forward solution to the same namespace problem. Since long user names may not fully be displayed by e.g. the ps tool the chosen method needs to be short. Therefore using a single letter character may be used. According to the recommended regular expression for usernames in the useradd manpage<<D>> of the shadow package, dollar could be used as suffix or underscore as prefix or suffix. OpenBSD already implemented a policy to use underscore (ASCII character 95) as prefix in 2003<<C>>. This method is therefore considered proven in practice. For symmetry reasons and because many packages also create groups with the same name as the user the same solution should be applied to groups as well. License ------- This document has been placed in the public domain. References ---------- [bibliography] - [[[A]]] current list of known user names in opensuse is maintained in link:https://build.opensuse.org/package/view_file/openSUSE:Factory/rpmlint/config?expand=1[rpmlint] - [[[B]]] link:http://anonscm.debian.org/viewvc/pkg-shadow/upstream/trunk/man/useradd.8.xml?view=markup[useradd manpage] - [[[C]]] List of sytem users in link:http://www.openbsd.org/cgi-bin/cvsweb/\~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain[OpenBSD] with short sentence expressing the "policy" - [[[D]]] some link:http://lists.opensuse.org/opensuse-packaging/2014-02/msg00103.html[numbers] collected by Guido -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user names.txt):
_____________________________________________________________________ OSEP: XXXX Title: Informational proposal: openSUSE Distribution Daemon User and Group Names Version: 0.1 Last-Modified: 03 Mar 2014 Author: Guido Berhoerster <gber@opensuse.org>, Ludwig Nussel <ludwig.nussel@suse.de> Status: Draft Type: Informational Created: 28 Feb 2014 Post-History: _____________________________________________________________________
Abstract --------
This OSEP proposes a defined pattern for unprivileged system user and group names.
Specification -------------
Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
This policy is meant to be applied to all packages that are new to openSUSE Factory. Existing packages are encouraged to switch to the new policy.
This is certainly doable, though much effort would have to convince the various upstreams. We'll just win nothing if this becomes a openSUSE-specific thing. As an example, we started to be nice citizens and prefixed all of our OpenStack package daemon users with "openstack-". We recently reverted that because one of the OpenStack sub-projects refused to support those. Since we're not exactly the leading horse in the distro race, we better get some good allies (as in $OTHER_DISTROS) or this is doomed to fail. -- Viele Grüße, Sascha Peilicke -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sascha Peilicke wrote:
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user names.txt):
_____________________________________________________________________ OSEP: XXXX Title: Informational proposal: openSUSE Distribution Daemon User and Group Names Version: 0.1 Last-Modified: 03 Mar 2014 Author: Guido Berhoerster <gber@opensuse.org>, Ludwig Nussel <ludwig.nussel@suse.de> Status: Draft Type: Informational Created: 28 Feb 2014 Post-History: _____________________________________________________________________
Abstract --------
This OSEP proposes a defined pattern for unprivileged system user and group names.
Specification -------------
Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
This policy is meant to be applied to all packages that are new to openSUSE Factory. Existing packages are encouraged to switch to the new policy.
This is certainly doable, though much effort would have to convince the various upstreams. We'll just win nothing if this becomes a openSUSE-specific thing.
As an example, we started to be nice citizens and prefixed all of our OpenStack package daemon users with "openstack-". We recently reverted that because one of the OpenStack sub-projects refused to support those. Since
Quite some upstream packages actually don't really care about the user names. openstack might be an exception there. I'm sure we'll always have some that can then be discused and whitelisted if needed.
we're not exactly the leading horse in the distro race, we better get some good allies (as in $OTHER_DISTROS) or this is doomed to fail.
The idea is not new, openBSD is doing this silently since ten years apparently. So don't think it's immediately doomed to fail. So far we are not syncing user naming with other distros anyways. I agree it would be nice if others would adopt this policy too though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2014-03-26 13:35]:
As an example, we started to be nice citizens and prefixed all of our OpenStack package daemon users with "openstack-". We recently reverted that because one of the OpenStack sub-projects refused to support those. Since
Quite some upstream packages actually don't really care about the user names. openstack might be an exception there. I'm sure we'll always have some that can then be discused and whitelisted if needed.
I'd even go further in that system user/group names should be considered a domain of downstream distributions or users just as paths and not hardcoded at all. Many projects already do through compile-time macros or configure switches. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 26 March 2014 14:02:40 Guido Berhoerster wrote:
* Ludwig Nussel <ludwig.nussel@suse.de> [2014-03-26 13:35]:
As an example, we started to be nice citizens and prefixed all of our OpenStack package daemon users with "openstack-". We recently reverted that because one of the OpenStack sub-projects refused to support those. Since
Quite some upstream packages actually don't really care about the user names. openstack might be an exception there. I'm sure we'll always have some that can then be discused and whitelisted if needed.
I'd even go further in that system user/group names should be considered a domain of downstream distributions or users just as paths and not hardcoded at all. Many projects already do through compile-time macros or configure switches.
On the other hand, many people seem to have scripts which do expect a certain things. Usually they expect Debian package names (and we do provide some of the more common ones). So if somebody's got some connections to those folks it's best to make use of those first. -- Viele Grüße, Sascha Peilicke -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 26 March 2014 13:35:17 Ludwig Nussel wrote:
Sascha Peilicke wrote:
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_u ser names.txt):
_____________________________________________________________________
OSEP: XXXX Title: Informational proposal: openSUSE Distribution Daemon User and Group
Names Version: 0.1
Last-Modified: 03 Mar 2014 Author: Guido Berhoerster <gber@opensuse.org>, Ludwig Nussel
<ludwig.nussel@suse.de> Status: Draft
Type: Informational Created: 28 Feb 2014
Post-History: _____________________________________________________________________
Abstract --------
This OSEP proposes a defined pattern for unprivileged system user and group names.
Specification -------------
Packages that add unprivileged users to e.g. run daemons as need to
use names that follow the following regular expression: ^_[0-9a-z][0-9a-z_]*$
This policy is meant to be applied to all packages that are new to openSUSE Factory. Existing packages are encouraged to switch to the new policy.
This is certainly doable, though much effort would have to convince the various upstreams. We'll just win nothing if this becomes a openSUSE-specific thing.
As an example, we started to be nice citizens and prefixed all of our OpenStack package daemon users with "openstack-". We recently reverted that because one of the OpenStack sub-projects refused to support those. Since
Quite some upstream packages actually don't really care about the user names. openstack might be an exception there. I'm sure we'll always have some that can then be discused and whitelisted if needed.
we're not exactly the leading horse in the distro race, we better get some good allies (as in $OTHER_DISTROS) or this is doomed to fail.
The idea is not new, openBSD is doing this silently since ten years apparently. So don't think it's immediately doomed to fail. So far we are not syncing user naming with other distros anyways. I agree it would be nice if others would adopt this policy too though.
I'm open to it, if we want to repeat what we seem to have reached with spdx.org, we should talk to people involved in that discussion and see how we can reach a broad audience and consensus across distros before starting it. -- Viele Grüße, Sascha Peilicke -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/26/2014 01:35 PM, Ludwig Nussel wrote:
Quite some upstream packages actually don't really care about the user names. openstack might be an exception there. I'm sure we'll always have some that can then be discused and whitelisted if needed.
The document does not give this option of whitelisting. Could you enhance it so that it's clear what needs to be done for those cases where the policy will not work and we need to ask for an exception, please? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hey, On 26.03.2014 11:55, Guido Berhoerster wrote:
Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa.
That one you have to explain to me. How is that possible if the UID is different? hans@rhett:~> id uid=13045(hans) gid=100(users) groups=100(users) hans@rhett:~> ls -lad /home/hans drwxr-xr-x 2 hans users 4096 Mar 26 13:25 /home/hans hans@rhett:~> ls -ladn /home/hans drwxr-xr-x 2 13044 100 4096 Mar 26 13:25 /home/hans hans@rhett:~> touch /home/hans/blah touch: cannot touch ‘/home/hans/blah’: Permission denied hans@rhett:~> Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Henne Vogelsang wrote:
On 26.03.2014 11:55, Guido Berhoerster wrote:
Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa.
That one you have to explain to me. How is that possible if the UID is different?
hans@rhett:~> id uid=13045(hans) gid=100(users) groups=100(users) hans@rhett:~> ls -lad /home/hans drwxr-xr-x 2 hans users 4096 Mar 26 13:25 /home/hans hans@rhett:~> ls -ladn /home/hans drwxr-xr-x 2 13044 100 4096 Mar 26 13:25 /home/hans hans@rhett:~> touch /home/hans/blah touch: cannot touch ‘/home/hans/blah’: Permission denied hans@rhett:~>
So you manually edited your /etc/passwd or forced useradd to create two user hans with different uids. That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored. So the package would re-user the existing user. In the case of hans the one with uid 13044 that owns /home/hans. There wouldn't be a second hans with uid 13045. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le 26/03/2014 13:46, Ludwig Nussel a écrit :
Henne Vogelsang wrote:
On 26.03.2014 11:55, Guido Berhoerster wrote:
Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa.
That one you have to explain to me. How is that possible if the UID is different?
hans@rhett:~> id uid=13045(hans) gid=100(users) groups=100(users) hans@rhett:~> ls -lad /home/hans drwxr-xr-x 2 hans users 4096 Mar 26 13:25 /home/hans hans@rhett:~> ls -ladn /home/hans drwxr-xr-x 2 13044 100 4096 Mar 26 13:25 /home/hans hans@rhett:~> touch /home/hans/blah touch: cannot touch ‘/home/hans/blah’: Permission denied hans@rhett:~>
So you manually edited your /etc/passwd or forced useradd to create two user hans with different uids. That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored. So the package would re-user the existing user. In the case of hans the one with uid 13044 that owns /home/hans. There wouldn't be a second hans with uid 13045.
cu Ludwig
Question : is that possible to share users between unprivilegied daemons ? It would avoid to have tons of users. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
denisart benjamin2 - 13:49 26.03.14 wrote:
Le 26/03/2014 13:46, Ludwig Nussel a écrit :
Henne Vogelsang wrote:
On 26.03.2014 11:55, Guido Berhoerster wrote:
Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa.
That one you have to explain to me. How is that possible if the UID is different?
hans@rhett:~> id uid=13045(hans) gid=100(users) groups=100(users) hans@rhett:~> ls -lad /home/hans drwxr-xr-x 2 hans users 4096 Mar 26 13:25 /home/hans hans@rhett:~> ls -ladn /home/hans drwxr-xr-x 2 13044 100 4096 Mar 26 13:25 /home/hans hans@rhett:~> touch /home/hans/blah touch: cannot touch ‘/home/hans/blah’: Permission denied hans@rhett:~>
So you manually edited your /etc/passwd or forced useradd to create two user hans with different uids. That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored. So the package would re-user the existing user. In the case of hans the one with uid 13044 that owns /home/hans. There wouldn't be a second hans with uid 13045.
cu Ludwig
Question : is that possible to share users between unprivilegied daemons ? It would avoid to have tons of users.
In general not. They would have access to data of each other. And which daemon is unprivileged? :-) -- Michal HRUSECKY SUSE LINUX, s.r.o. openSUSE Team Lihovarska 1060/12 PGP 0xFED656F6 19000 Praha 9 mhrusecky[at]suse.cz Czech Republic http://michal.hrusecky.net http://www.suse.cz -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hey, On 26.03.2014 13:46, Ludwig Nussel wrote:
That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored.
This sounds like the way more pressing thing to fix then. I guess this OSEP should be about enforcing a useradd macro in factory... Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Henne Vogelsang <hvogel@opensuse.org> [2014-03-27 11:51]:
On 26.03.2014 13:46, Ludwig Nussel wrote:
That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored.
This sounds like the way more pressing thing to fix then. I guess this OSEP should be about enforcing a useradd macro in factory...
How do you suggest that should be "fixed"? We intentionally allow admins to pre-create user/groups as that makes sense so they can e.g. ensure a user/group is associated with a certain uid/gid and we neither remove user/groups on deinstallation as e.g. it might leave files owned by it behind. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 27.03.2014 13:25, Guido Berhoerster wrote:
* Henne Vogelsang <hvogel@opensuse.org> [2014-03-27 11:51]:
On 26.03.2014 13:46, Ludwig Nussel wrote:
That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored.
This sounds like the way more pressing thing to fix then. I guess this OSEP should be about enforcing a useradd macro in factory...
How do you suggest that should be "fixed"?
Simple: If some package adds a user/group during installation and that action fails, it shouldn't fail silently and expose the risks Ludwig mentioned... Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Henne Vogelsang - 14:07 27.03.14 wrote:
On 27.03.2014 13:25, Guido Berhoerster wrote:
* Henne Vogelsang <hvogel@opensuse.org> [2014-03-27 11:51]:
On 26.03.2014 13:46, Ludwig Nussel wrote:
That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored.
This sounds like the way more pressing thing to fix then. I guess this OSEP should be about enforcing a useradd macro in factory...
How do you suggest that should be "fixed"?
Simple: If some package adds a user/group during installation and that action fails, it shouldn't fail silently and expose the risks Ludwig mentioned...
Typically it is not an error. You might have user account precreated as mentioned, but what actually makes a better use case is that you installed for example mysql, played with it, uninstalled it accidentally or you migrated to mariadb and now you are installing it again. Data left behind still have mysql user owning them and you want you new installation to succeed and not to bother you with solving conflicts. I would say that there is typically more frequent case than somebody being named the same as some daemon... -- Michal HRUSECKY SUSE LINUX, s.r.o. openSUSE Team Lihovarska 1060/12 PGP 0xFED656F6 19000 Praha 9 mhrusecky[at]suse.cz Czech Republic http://michal.hrusecky.net http://www.suse.cz -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Henne Vogelsang wrote:
On 27.03.2014 13:25, Guido Berhoerster wrote:
* Henne Vogelsang <hvogel@opensuse.org> [2014-03-27 11:51]:
On 26.03.2014 13:46, Ludwig Nussel wrote:
That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored.
This sounds like the way more pressing thing to fix then. I guess this OSEP should be about enforcing a useradd macro in factory...
How do you suggest that should be "fixed"?
Simple: If some package adds a user/group during installation and that action fails, it shouldn't fail silently and expose the risks Ludwig mentioned...
You have to ignore the error. Reusing an already existing use is a features as the package can't make guesses about why the user already exists. Reasons for an already existing users might be that a package has been uinstalled and reinstalled, several packages using the same user or an admin pre-creating users to get fixed uids. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 27 Mar 2014 14:43, Ludwig Nussel <ludwig.nussel@...> wrote:
Henne Vogelsang wrote:
On 27.03.2014 13:25, Guido Berhoerster wrote:
* Henne Vogelsang <hvogel@...> [2014-03-27 11:51]:
On 26.03.2014 13:46, Ludwig Nussel wrote:
That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored.
This sounds like the way more pressing thing to fix then. I guess this OSEP should be about enforcing a useradd macro in factory...
How do you suggest that should be "fixed"?
Simple: If some package adds a user/group during installation and that action fails, it shouldn't fail silently and expose the risks Ludwig mentioned...
You have to ignore the error. Reusing an already existing use is a features as the package can't make guesses about why the user already exists. Reasons for an already existing users might be that a package has been uinstalled and reinstalled, several packages using the same user or an admin pre-creating users to get fixed uids.
IMHO the macro is formulated the wrong way, change the macro, and you can use the error: Proposal for useradd macro: 'check for existing group' $prg_group || addgroup [options] $prg_group || trow group_error 'check for existing user' $prg_user || adduser [options] $prg_user || trow user_error note the 'check for existing ...' that is not in the macro atm. with it we can use the error of add(group|user) On the topic of underscore prefix, I'd propose that any new daemon users and groups should do that asap. As in: any valid incoming request for new daemon user / group names will get the answer ok with prefix, or have to plead a really strong case for without prefix. Let's start the progress. On the argument about cgroups and name-spaces, I'd like to add the following: IF using cgroups and name-spaces would really work THAT fine, all deamons would run under the UID / GID of 'daemon' e.g. numeric "2" so stop arguing in that direction before you fix all the underlaying issues, then you can come back and argue in this direction and bring valid proving with your arguments. As long as file access works with UID / GID any argument about cgroups and co. as a replacement is wasted space and resources. Prove me wrong, I dare you! *Prove* I say, with code. - Yamaban -- If I could get a firm grip on reality, I'd choke it. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/27/14 14:07, Henne Vogelsang wrote:
On 27.03.2014 13:25, Guido Berhoerster wrote:
* Henne Vogelsang <hvogel@opensuse.org> [2014-03-27 11:51]:
On 26.03.2014 13:46, Ludwig Nussel wrote:
That's not what happens when installing packages. Packages typically call useradd in %pre. If the user already exists the useradd is either not called or the error ignored.
This sounds like the way more pressing thing to fix then. I guess this OSEP should be about enforcing a useradd macro in factory...
How do you suggest that should be "fixed"?
Simple: If some package adds a user/group during installation and that action fails, it shouldn't fail silently and expose the risks Ludwig mentioned...
That would make it impossible to have pre-existing users, e.g. in LDAP or NIS. In our environment some daemon users are allocated there, to get defined common behavior. Especially good in clusters, or when NFS v3 is still used. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Guido,
Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
I don't think the second character should be starting with a digit, so something like '^_[a-z][0-9a-z_]+$' would be more sensible. Furthermore I think the user/group name that is added should have some correspondence to the package itself. My initial thought would have been "must have sub part of package name as part of its name", but that is slightly too strict (like e.g. forbidding www for apache2, which might not be what we want). Out of curiosity: did you compare this suggested policy to what other distributions (debian or fedora for example) do? We're not going to win anything by being for example explicitely incompatible with Debian. The reason I'm mentioning this is because some upstreams do not accept patches for adding support for something that is debian policy incompatible. Thanks, Dirk -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Dirk Müller <dirk@dmllr.de> [2014-03-26 15:00]:
Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
I don't think the second character should be starting with a digit, so something like '^_[a-z][0-9a-z_]+$' would be more sensible.
The above was based on useradd(8) which currently enforces '[a-z_][a-z0-9_-]*[$]?'. Given that there are no system groups/users starting with a digit in openSUSE a more restrictive '^_[a-z][0-9a-z_]+$' as a variation of the original + '_'-prefix sounds reasonable.
Furthermore I think the user/group name that is added should have some correspondence to the package itself. My initial thought would have been "must have sub part of package name as part of its name", but that is slightly too strict (like e.g. forbidding www for apache2, which might not be what we want).
I have no particular opinion regarding that, however as was pointed out in the discussion on -packaging we need to take care not to create too long names, i.e. strive to remain below 8 characters if possible.
Out of curiosity: did you compare this suggested policy to what other distributions (debian or fedora for example) do? We're not going to
Yes, they have no specific policies regarding user/group names, see e.g. Section 9.2.1 in the Debian Policy Manual: https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.1
win anything by being for example explicitely incompatible with Debian. The reason I'm mentioning this is because some upstreams do not accept patches for adding support for something that is debian policy incompatible.
Even though nothing contradicts this in Debian/Fedora policy, there may also be a few cases where upstream insists on hardcoding users/groups. In such cases we'd have to patch like we e.g. do with paths that contradict the FHS, in the vast majority of cases this is fairly trivial from what I've seen in the OpenBSD ports. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 26/03/14 07:55, Guido Berhoerster escribió:
Specification -------------
Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
Oh ye old Unix design..still giving joy... What about NOT adding *new* usernames unless there is a good reason to? and encouraging people to drop capabilities, use seccomp, change namespace etc using the systemd functionality designed for that very purpose ? As you may guess by now. I do not agree with this proposal, as we are just papering over a known design limitation. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Cristian Rodríguez wrote:
El 26/03/14 07:55, Guido Berhoerster escribió:
Specification -------------
Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
Oh ye old Unix design..still giving joy...
What about NOT adding *new* usernames unless there is a good reason to? and encouraging people to drop capabilities, use seccomp, change namespace etc using the systemd functionality designed for that very purpose ?
As you may guess by now. I do not agree with this proposal, as we are just papering over a known design limitation.
This policy doesn't paper over anything and doesn't prevent anyone to leverage modern Linux security features. The policy merely puts some order in existing practices that won't go away anytime soon. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/26/2014 11:55 AM, Guido Berhoerster wrote:
Many packages need to add user and group names for their unprivileged daemons. Currently openSUSE Factory has a known lists of more than 130<<A>> such daemon user names. Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since there is no separate name space for system users those names may collide with names of real persons.
Well, if one wants to avoid name clashes, then why not avoiding names at all? I mean AFAIK there's no reason why a daemon shouldn't be run by UID/GID, is there? ;-) Even venerable chroot(1) allows that with the +UID:+GID notation: $ chroot --userspec=+1234:+2345 / /usr/bin/id uid=1234 gid=2345 And there are several other tools out there for this, ... and there are namespaces, as already mentioned by someone else. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Bernhard Voelker wrote:
On 03/26/2014 11:55 AM, Guido Berhoerster wrote:
Many packages need to add user and group names for their unprivileged daemons. Currently openSUSE Factory has a known lists of more than 130<<A>> such daemon user names. Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since there is no separate name space for system users those names may collide with names of real persons.
Well, if one wants to avoid name clashes, then why not avoiding names at all? I mean AFAIK there's no reason why a daemon shouldn't be run by UID/GID, is there? ;-)
Then we'd need a registry of uids in addition to /etc/passwd to block already taken uids. Otherwise useradd may re-use uids taken by daemons or two daemons may use the same uid. That sounds more awkward to me. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/27/2014 09:57 AM, Ludwig Nussel wrote:
Otherwise useradd may re-use uids taken by daemons [...]
This topic is about avoiding user name/group clashes. However that is solved (e.g. by the proposed policy/convention), avoiding clashing UIDs is still an open question. (TBH I don't care much about the names - the important thing are the UIDs/GIDs.)
[...] two daemons may use the same uid. That sounds more awkward to me.
Hmm, heretical question: why not? Isn't that what namespaces are for? I didn't play with that very much, but from upstream bug reports from Fedora, I have the impression that they're starting to heavily use namespaces ... and separating daemons would be a perfect reason for this. Just kidding, but in extreme, one single 'daemon/daemon' user would suffice. ;-) Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Bernhard Voelker wrote:
On 03/27/2014 09:57 AM, Ludwig Nussel wrote:
Otherwise useradd may re-use uids taken by daemons [...]
This topic is about avoiding user name/group clashes. However that is solved (e.g. by the proposed policy/convention), avoiding clashing UIDs is still an open question. (TBH I don't care much about the names - the important thing are the UIDs/GIDs.)
useradd choses a new uid for each user so the uid clash is avoided implicitly by using different user names.
[...] two daemons may use the same uid. That sounds more awkward to me.
Hmm, heretical question: why not? Isn't that what namespaces are for? I didn't play with that very much, but from upstream bug reports from Fedora, I have the impression that they're starting to heavily use namespaces ... and separating daemons would be a perfect reason for this.
Just kidding, but in extreme, one single 'daemon/daemon' user would suffice. ;-)
Feel free to explore that possibility. I don't think the proposed policy conflicts with other ways to achieve privilege separation. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/28/2014 08:55 AM, Ludwig Nussel wrote:
Bernhard Voelker wrote:
This topic is about avoiding user name/group clashes. However that is solved (e.g. by the proposed policy/convention), avoiding clashing UIDs is still an open question. (TBH I don't care much about the names - the important thing are the UIDs/GIDs.)
useradd choses a new uid for each user so the uid clash is avoided implicitly by using different user names.
Hmm, the discussion started with problems - at least partly - to avoid clashes in heterogeneous environments, e.g. with LDAP [1]. AFAIK also the UIDs are in LDAP in such a case ... so I don't understand how 'useradd' would help in this scenario. Do I miss something? After all, IMHO avoiding clashes (may it be names or IDs) is best done by avoiding to create more users for such daemons. [1] http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Bernhard Voelker wrote:
On 03/28/2014 08:55 AM, Ludwig Nussel wrote:
Bernhard Voelker wrote:
This topic is about avoiding user name/group clashes. However that is solved (e.g. by the proposed policy/convention), avoiding clashing UIDs is still an open question. (TBH I don't care much about the names - the important thing are the UIDs/GIDs.)
useradd choses a new uid for each user so the uid clash is avoided implicitly by using different user names.
Hmm, the discussion started with problems - at least partly - to avoid clashes in heterogeneous environments, e.g. with LDAP [1]. AFAIK also the UIDs are in LDAP in such a case ... so I don't understand how 'useradd' would help in this scenario. Do I miss something?
I'm not sure I understand what you are trying to say. useradd iterates over all entries in passwd to find the next free uid in the configured range (100-499 by default for system users). So by adding a new username you always also get a new uid. Unless you explicitly force one specific uid of course, but that is not what our packages do. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/28/2014 03:41 PM, Ludwig Nussel wrote:
Bernhard Voelker wrote:
Hmm, the discussion started with problems - at least partly - to avoid clashes in heterogeneous environments, e.g. with LDAP [1]. AFAIK also the UIDs are in LDAP in such a case ... so I don't understand how 'useradd' would help in this scenario. Do I miss something?
I'm not sure I understand what you are trying to say.
Actually the same as Joachim in http://lists.opensuse.org/opensuse-factory/2014-03/msg00386.html Admins create users in the LDAP. So as there are 2 sources of truth, it is pointless to try to avoid clashing with 'useradd'. Instead, one can only minimize the possibility of clashes by reducing the number of local daemon users. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Bernhard Voelker <mail@bernhard-voelker.de> [2014-03-28 16:42]:
On 03/28/2014 03:41 PM, Ludwig Nussel wrote:
Bernhard Voelker wrote:
Hmm, the discussion started with problems - at least partly - to avoid clashes in heterogeneous environments, e.g. with LDAP [1]. AFAIK also the UIDs are in LDAP in such a case ... so I don't understand how 'useradd' would help in this scenario. Do I miss something?
I'm not sure I understand what you are trying to say.
Actually the same as Joachim in http://lists.opensuse.org/opensuse-factory/2014-03/msg00386.html
Admins create users in the LDAP. So as there are 2 sources of truth, it is pointless to try to avoid clashing with 'useradd'.
What does this have to do with the proposal? If you pre-create system accounts in LDAP you can do that as before, with the added benefit that you will not have clashes between system and regular usernames as long as you disallow a leading '_' for regular usernames.
Instead, one can only minimize the possibility of clashes by reducing the number of local daemon users.
That is not going to happen any time soon if ever, to the contrary with the number of packages in Factory steadily rising the number of daemons and associated system users will grow as well. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/28/14 16:42, Bernhard Voelker wrote:
On 03/28/2014 03:41 PM, Ludwig Nussel wrote:
Bernhard Voelker wrote:
Hmm, the discussion started with problems - at least partly - to avoid clashes in heterogeneous environments, e.g. with LDAP [1]. AFAIK also the UIDs are in LDAP in such a case ... so I don't understand how 'useradd' would help in this scenario. Do I miss something?
I'm not sure I understand what you are trying to say.
Actually the same as Joachim in http://lists.opensuse.org/opensuse-factory/2014-03/msg00386.html
Admins create users in the LDAP. So as there are 2 sources of truth, it is pointless to try to avoid clashing with 'useradd'.
I don't understand your argument. If I pre-establish a user postgres in LDAP, useradd won't add it, as it exists already. No conflict at all, LDAP account is used, no local account is established. Of course, I have to take care that UID # conflicts won't happen by using a different number range than that's used for local system accounts. That minor complication is fine for me: net-wide user accounts are used by a minority of openSUSE installations, no need to make it bullet-proof - it will only be used by professionals, anyhow. I don't ask to make it the default, I ask for not making it a failure and thus making setups like ours impossible. Concerning Christian's proposal to use one daemon account and systemd / modern Linux facilities to handle priviledge separations, which might also be your argument to reduce the number of local daemon users: I have to support heterogenoues environments. Linux-only solutions are out of question. I don't know if your proposal to reduce the number of local daemon users goes into same direction -- if yes, I don't support it. In fact, proponents of Linux-only solutions are IMNSHO not much better than Microsoft fan-boys who want to turn a whole datacenter into an AD controlled environment with Windows-centric conventions. Not caring for heterogenoues [sp?] environments is a recipe for long-term failure, in my experience. Your own prefered environments won't last long enough to enjoy world dominance, even though some younger hot-heads might not believe it. (I started IT work with BS2000 / MVS mainframes more than 3 decades ago and survived the UNIX wars, FWIW; so I have the scars to show that the IT landscape changes faster than some would like it.) Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
[snip]
So here's what could be done: - The Factory policies mandate the daemon usernames are in rpmlint's whitelist. Currently, it's juts a warning. + factory-auto will auto-decline packages with useradd/groupadd including names that aren't part of rpmlint's whitelist - The packager then discusses with the rpmlint maintainers about the name. Whatever they conclude with is entirely up to them. They may chose to "just follow upstream" or this OSEP proposal. This way the Factory review team avoids having to fight a proxy war. The only policy would be "add yourself to rpmlint's whitelist". Of course, I assume that those having started the discussion would: - enhance the factory-auto script - update rpmlint's existing whitelist with what we currently have - add a remark to our packaging policies in the wiki - notify review@opensuse.org that this is in effect Thoughts? -- Viele Grüße, Sascha Peilicke -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Sascha Peilicke <saschpe@mailbox.org> [2014-03-27 12:13]:
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
[snip]
So here's what could be done:
- The Factory policies mandate the daemon usernames are in rpmlint's whitelist. Currently, it's juts a warning.
+ factory-auto will auto-decline packages with useradd/groupadd including names that aren't part of rpmlint's whitelist
- The packager then discusses with the rpmlint maintainers about the name. Whatever they conclude with is entirely up to them. They may chose to "just follow upstream" or this OSEP proposal.
This way the Factory review team avoids having to fight a proxy war. The only policy would be "add yourself to rpmlint's whitelist". Of course, I assume
Making it completely optional would make this effort pointless since the goal is to have a safe namespace in which admins can create arbitrary user/groupnames without worrying of colliding with system users/groups. Ending up with half of the users/groups using prefixing and the other half not does not gain us anything. If an upstream is unwilling to at least make it possible to override a user/groupname then we would have to patch it, that is pretty much the same way how we enforce other namespaces such as the filesystem layout. Note that in the vast majority of cases this will not be necessary (see the -packaging thread for some numbers). So IMO this should be enforced for new packages while existing packages could be gradually converted with users/groups in aaa_base as the only exception. As demonstrated by the OpenBSD ports this is entirely possible.
that those having started the discussion would:
- enhance the factory-auto script - update rpmlint's existing whitelist with what we currently have - add a remark to our packaging policies in the wiki - notify review@opensuse.org that this is in effect
Sure. I'd also be willing to help migrate packages. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 27 March 2014 13:37:09 Guido Berhoerster wrote:
* Sascha Peilicke <saschpe@mailbox.org> [2014-03-27 12:13]:
On Wednesday 26 March 2014 11:55:51 Guido Berhoerster wrote:
[snip]
So here's what could be done:
- The Factory policies mandate the daemon usernames are in rpmlint's
whitelist. Currently, it's juts a warning.
+ factory-auto will auto-decline packages with useradd/groupadd
including names that aren't part of rpmlint's whitelist
- The packager then discusses with the rpmlint maintainers about the name.
Whatever they conclude with is entirely up to them. They may chose to "just follow upstream" or this OSEP proposal.
This way the Factory review team avoids having to fight a proxy war. The only policy would be "add yourself to rpmlint's whitelist". Of course, I assume Making it completely optional would make this effort pointless...
"optional" is completely wrong vocabulary here. My proposal frees the review team from yet something more people will argue with them. Instead, it becomes a discussion between the rpmlint maintainers (aka security-aware people) and the packager. Isn't that a smart move? Otherwise, if you want to enforce things, it's going to be your task to convince people. Not our war.
since the goal is to have a safe namespace in which admins can create arbitrary user/groupnames without worrying of colliding with system users/groups. Ending up with half of the users/groups using prefixing and the other half not does not gain us anything.
Nobody wants that. Trust me, you'll infuriate a lot of users.
If an upstream is unwilling to at least make it possible to override a user/groupname then we would have to patch it, that is pretty much the same way how we enforce other namespaces such as the filesystem layout. Note that in the vast majority of cases this will not be necessary (see the -packaging thread for some numbers).
You could have it the other way around, too. Move the rpmlint user whitelist into aaa_base or shadow and have 'useradd' & co check against the list of taken users :-D
So IMO this should be enforced for new packages while existing packages could be gradually converted with users/groups in aaa_base as the only exception. As demonstrated by the OpenBSD ports this is entirely possible.
Not really, do you know how man of our users have scripts including, e.g., 'su postgres -c "psql"'? I know of at least one, me.
that those having started the discussion would:
- enhance the factory-auto script - update rpmlint's existing whitelist with what we currently have - add a remark to our packaging policies in the wiki - notify review@opensuse.org that this is in effect
Sure. I'd also be willing to help migrate packages.
-- Viele Grüße, Sascha Peilicke -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 2014-03-27 14:31, Sascha Peilicke wrote:
This way the Factory review team avoids having to fight a proxy war. The only policy would be "add yourself to rpmlint's whitelist". Of course, I assume
Making it completely optional would make this effort pointless...
"optional" is completely wrong vocabulary here. My proposal frees the review team from yet something more people will argue with them. Instead, it becomes a discussion between the rpmlint maintainers (aka security-aware people) and the packager. Isn't that a smart move?
rpmlint is not normally associated with security (*permissions.rpm* would be), but policy/correctness. And as it so happens sufficiently many times, rpmlint has got some false positives. I feel opposed to whitelists, especially when they don't get updated. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jan Engelhardt wrote:
On Thursday 2014-03-27 14:31, Sascha Peilicke wrote:
This way the Factory review team avoids having to fight a proxy war. The only policy would be "add yourself to rpmlint's whitelist". Of course, I assume
Making it completely optional would make this effort pointless...
"optional" is completely wrong vocabulary here. My proposal frees the review team from yet something more people will argue with them. Instead, it becomes a discussion between the rpmlint maintainers (aka security-aware people) and the packager. Isn't that a smart move?
rpmlint is not normally associated with security (*permissions.rpm* would be), but policy/correctness. And as it so happens sufficiently many times, rpmlint has got some false positives. I feel opposed to whitelists, especially when they don't get updated.
We already do have a whitelist of users and groups in rpmlint and it's kept fairly up to date. The rpmlint error triggered by that warning was not fatal so far though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution? Coincidentally the LSB working group just had a face to face meeting at the Linux Foundation Collaboration Summit last week and we decided that after the release of the LSB 5.0 specification we (the LSB work group) want to shift our focus and become the place where distributions can discuss such problems and come to an agreement for Linux as a platform rather than every distro implementing their own solution. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 31 Mar 2014 09:00:24 -0400 Robert Schweikert wrote:
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Why do we look at Fedora or Debian? We are _SUSE_. Let them follow us. BTW, ask OpenBSD people. There are too many cases when it's heard "Fedora, Fedora, Fedora, ...".
:-(
On Fri, 28 Feb 2014 10:53:56 +0100 Guido Berhoerster wrote:
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
+ 100500 -- WBR Kyrill
On 04/01/2014 04:17 PM, Kyrill Detinov wrote:
On Mon, 31 Mar 2014 09:00:24 -0400 Robert Schweikert wrote:
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Why do we look at Fedora or Debian? We are _SUSE_. Let them follow us.
That worked out well for the OpenStack user names didn't it. On a more rational note. Although we create different distributions we are still part of the same community. Thus, seeking consensus when faced with the same problem generally leads to a solution that can be implemented by everyone and thus makes it easier to get support in upstream projects that feed the distribution. Maybe our proposed solution will end up being the consensus, who knows. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Robert Schweikert <rjschwei@suse.com> [2014-04-01 23:06]:
On 04/01/2014 04:17 PM, Kyrill Detinov wrote:
On Mon, 31 Mar 2014 09:00:24 -0400 Robert Schweikert wrote:
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Why do we look at Fedora or Debian? We are _SUSE_. Let them follow us.
That worked out well for the OpenStack user names didn't it.
On a more rational note. Although we create different distributions we are still part of the same community. Thus, seeking consensus when faced with the same problem generally leads to a solution that can be implemented by everyone and thus makes it easier to get support in upstream projects that feed the distribution. Maybe our proposed solution will end up being the consensus, who knows.
While it might be nice to have this commonly adopted it's not like that we currently have identical user/group names across Linux distro's let alone the wider UN*X landscape, so I don't really see a good reason why this should hamper adoption by openSUSE. And I actually disagree to push this scheme upstream, it should be none of upstream's business under which username we run their daemon as much as it is none of their business under which path prefix it is installed. Rather that should be configurable and fortunately for most projects it already is. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/01/2014 05:55 PM, Guido Berhoerster wrote:
* Robert Schweikert <rjschwei@suse.com> [2014-04-01 23:06]:
On 04/01/2014 04:17 PM, Kyrill Detinov wrote:
On Mon, 31 Mar 2014 09:00:24 -0400 Robert Schweikert wrote:
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Why do we look at Fedora or Debian? We are _SUSE_. Let them follow us.
That worked out well for the OpenStack user names didn't it.
On a more rational note. Although we create different distributions we are still part of the same community. Thus, seeking consensus when faced with the same problem generally leads to a solution that can be implemented by everyone and thus makes it easier to get support in upstream projects that feed the distribution. Maybe our proposed solution will end up being the consensus, who knows.
While it might be nice to have this commonly adopted it's not like that we currently have identical user/group names across Linux distro's let alone the wider UN*X landscape, so I don't really see a good reason why this should hamper adoption by openSUSE. And I actually disagree to push this scheme upstream, it should be none of upstream's business under which username we run their daemon as much as it is none of their business under which path prefix it is installed. Rather that should be configurable and fortunately for most projects it already is.
True, but you have to concede that it may be a PITA for admins and ISVs that may have to maintain and support multiple distributions when everyone does their own thing. I am not saying we should not try to find a solution to a problem, all I am asking is to try and build consensus across distributions. Why is this unreasonable and why do we have to pound our chest and say we are openSUSE never mind the other guys? So here is a problem statement: https://github.com/LinuxStandardBase/lsb/pull/2 That could use some help, examples and general polish. Once we have this nicely wrapped up I am more than happy to get this solicited to other distros, debian and fedora, through the LSB working group. If no consensus can be found then we'll go ahead and make up our own stuff, no problem there. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Robert Schweikert <rjschwei@suse.com> [2014-04-02 13:37]:
On 04/01/2014 05:55 PM, Guido Berhoerster wrote:
* Robert Schweikert <rjschwei@suse.com> [2014-04-01 23:06]:
On 04/01/2014 04:17 PM, Kyrill Detinov wrote:
On Mon, 31 Mar 2014 09:00:24 -0400 Robert Schweikert wrote:
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Why do we look at Fedora or Debian? We are _SUSE_. Let them follow us.
That worked out well for the OpenStack user names didn't it.
On a more rational note. Although we create different distributions we are still part of the same community. Thus, seeking consensus when faced with the same problem generally leads to a solution that can be implemented by everyone and thus makes it easier to get support in upstream projects that feed the distribution. Maybe our proposed solution will end up being the consensus, who knows.
While it might be nice to have this commonly adopted it's not like that we currently have identical user/group names across Linux distro's let alone the wider UN*X landscape, so I don't really see a good reason why this should hamper adoption by openSUSE. And I actually disagree to push this scheme upstream, it should be none of upstream's business under which username we run their daemon as much as it is none of their business under which path prefix it is installed. Rather that should be configurable and fortunately for most projects it already is.
True, but you have to concede that it may be a PITA for admins and ISVs that may have to maintain and support multiple distributions when everyone does their own thing.
Right, but that is the status quo, see e.g. the wwwrun vs apache vs www-data user in openSUSE, Fedora/RHEL, and Debian/Ubuntu. So matters wouldn't be so much worse than they are now in terms of cross-distro compatibility
I am not saying we should not try to find a solution to a problem, all I am asking is to try and build consensus across distributions. Why is this unreasonable and why do we have to pound our chest and say we are openSUSE never mind the other guys?
I wasn't suggesting that, trying to get this adopted by others distros might be worthwile but on the other hand failing to reach consensus among distros or failing to get approval from each and every upstream should not keep us from implementing it.
So here is a problem statement:
https://github.com/LinuxStandardBase/lsb/pull/2
That could use some help, examples and general polish. Once we have this nicely wrapped up I am more than happy to get this solicited to other distros, debian and fedora, through the LSB working group. If
Sounds good, what do you need there? Could you incorporate the "Motivation" section from the OSEP into the problem statement?
no consensus can be found then we'll go ahead and make up our own stuff, no problem there.
Fine with me. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/02/2014 02:59 PM, Guido Berhoerster wrote:
* Robert Schweikert <rjschwei@suse.com> [2014-04-02 13:37]:
On 04/01/2014 05:55 PM, Guido Berhoerster wrote:
* Robert Schweikert <rjschwei@suse.com> [2014-04-01 23:06]:
On 04/01/2014 04:17 PM, Kyrill Detinov wrote:
On Mon, 31 Mar 2014 09:00:24 -0400 Robert Schweikert wrote:
> Full text of the OSEP (currently maintained at > https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
<snip>
So here is a problem statement:
https://github.com/LinuxStandardBase/lsb/pull/2
That could use some help, examples and general polish. Once we have this nicely wrapped up I am more than happy to get this solicited to other distros, debian and fedora, through the LSB working group. If
Sounds good, what do you need there? Could you incorporate the "Motivation" section from the OSEP into the problem statement?
Done. Thanks for the idea. Once the problem statement is merged I will cherry pick parts from the OSEP and stick them into the "Proposed Solution" section. Then we can solicit feedback through the LSB from other distros. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Mar 31, 2014 at 09:00:24AM -0400, Robert Schweikert wrote:
Hi,
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Coincidentally the LSB working group just had a face to face meeting at the Linux Foundation Collaboration Summit last week and we decided that after the release of the LSB 5.0 specification we (the LSB work group) want to shift our focus and become the place where distributions can discuss such problems and come to an agreement for Linux as a platform rather than every distro implementing their own solution.
So, trying to take over the role that freedesktop.org currently has? :) That's a _really_ big change for LSB, was this announced anywhere? thanks, greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/02/2014 07:39 PM, Greg KH wrote:
On Mon, Mar 31, 2014 at 09:00:24AM -0400, Robert Schweikert wrote:
Hi,
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Coincidentally the LSB working group just had a face to face meeting at the Linux Foundation Collaboration Summit last week and we decided that after the release of the LSB 5.0 specification we (the LSB work group) want to shift our focus and become the place where distributions can discuss such problems and come to an agreement for Linux as a platform rather than every distro implementing their own solution.
So, trying to take over the role that freedesktop.org currently has? :)
Hmm, not really, I think. Stuff that freedesktop.org has done has found it's way into the LSB, see xdg-utils for example. But I can see where there would be a potential overlap with freedesktop.org and that's certainly worth a discussion (not on this list of course) ;) The LSB working group is still interested in verification though, while freedesktop.org provides documentation without testing or a pledge by distributions to actually implement the stuff that's on freedesktop.org. So there is a bit of a different angle.
That's a _really_ big change for LSB,
Yes it is.
was this announced anywhere?
We are still working on that part. There is an executive summary of the LSB meeting here: https://wiki.linuxfoundation.org/en/LSB_Plenary_2014#Meeting_Minutes Detailed meeting minutes are to follow, that's on Jeff's plate ;) plus Jeff has to report through the LF chain what the working group came up with last week ;) maybe you can help with that, hint hint.... :D Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Apr 02, 2014 at 08:00:40PM -0400, Robert Schweikert wrote:
On 04/02/2014 07:39 PM, Greg KH wrote:
On Mon, Mar 31, 2014 at 09:00:24AM -0400, Robert Schweikert wrote:
Hi,
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Coincidentally the LSB working group just had a face to face meeting at the Linux Foundation Collaboration Summit last week and we decided that after the release of the LSB 5.0 specification we (the LSB work group) want to shift our focus and become the place where distributions can discuss such problems and come to an agreement for Linux as a platform rather than every distro implementing their own solution.
So, trying to take over the role that freedesktop.org currently has? :)
Hmm, not really, I think. Stuff that freedesktop.org has done has found it's way into the LSB, see xdg-utils for example. But I can see where there would be a potential overlap with freedesktop.org and that's certainly worth a discussion (not on this list of course) ;)
The LSB working group is still interested in verification though, while freedesktop.org provides documentation without testing or a pledge by distributions to actually implement the stuff that's on freedesktop.org. So there is a bit of a different angle.
Yes, but the overlap is "interesting". Where would a group of developers go if they wanted to create something new that spans distros / desktop environments? Right now it's been freedesktop, and then after everyone agrees, the LSB could codify it. But now, the LSB could be the place to do this work. So, how is someone supposed to know where to go? How will you ensure that duplicate things don't happen? How will you get one group to agree to the other group's differences if the same thing happens in 2 places in different ways? And finally, why is the LSB doing this at all? What need are you thinking needs to be fufilled that was "broken"?
That's a _really_ big change for LSB,
Yes it is.
was this announced anywhere?
We are still working on that part. There is an executive summary of the LSB meeting here: https://wiki.linuxfoundation.org/en/LSB_Plenary_2014#Meeting_Minutes
Nice, so the 5.x spec is the last of it's kind, that's great to see finally happen. But why not just disolve the group entirely? There's no need to keep on meeting to do things that are already handled in other areas (i.e. freedesktop) in order to just continue to do things.
Detailed meeting minutes are to follow, that's on Jeff's plate ;) plus Jeff has to report through the LF chain what the working group came up with last week ;) maybe you can help with that, hint hint.... :D
I'm not involved in that at all, for good reasons. If I was, the LSB would have been dissolved a long time ago :) greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/05/2014 04:26 PM, Greg KH wrote:
On Wed, Apr 02, 2014 at 08:00:40PM -0400, Robert Schweikert wrote:
On 04/02/2014 07:39 PM, Greg KH wrote:
On Mon, Mar 31, 2014 at 09:00:24AM -0400, Robert Schweikert wrote:
Hi,
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
Hello,
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Coincidentally the LSB working group just had a face to face meeting at the Linux Foundation Collaboration Summit last week and we decided that after the release of the LSB 5.0 specification we (the LSB work group) want to shift our focus and become the place where distributions can discuss such problems and come to an agreement for Linux as a platform rather than every distro implementing their own solution.
So, trying to take over the role that freedesktop.org currently has? :)
Hmm, not really, I think. Stuff that freedesktop.org has done has found it's way into the LSB, see xdg-utils for example. But I can see where there would be a potential overlap with freedesktop.org and that's certainly worth a discussion (not on this list of course) ;)
The LSB working group is still interested in verification though, while freedesktop.org provides documentation without testing or a pledge by distributions to actually implement the stuff that's on freedesktop.org. So there is a bit of a different angle.
Yes, but the overlap is "interesting". Where would a group of developers go if they wanted to create something new that spans distros / desktop environments? Right now it's been freedesktop, and then after everyone agrees, the LSB could codify it. But now, the LSB could be the place to do this work.
So, how is someone supposed to know where to go? How will you ensure that duplicate things don't happen? How will you get one group to agree to the other group's differences if the same thing happens in 2 places in different ways?
And finally, why is the LSB doing this at all? What need are you thinking needs to be fufilled that was "broken"?
That's a _really_ big change for LSB,
Yes it is.
was this announced anywhere?
We are still working on that part. There is an executive summary of the LSB meeting here: https://wiki.linuxfoundation.org/en/LSB_Plenary_2014#Meeting_Minutes
Nice, so the 5.x spec is the last of it's kind, that's great to see finally happen. But why not just disolve the group entirely? There's no need to keep on meeting to do things that are already handled in other areas (i.e. freedesktop) in order to just continue to do things.
Still the wrong list, but lets just keep going, I guess. Well fdo (freedesktop.org) by name would potentially be ignored/disqualified for certain things because they are not desktop related. For the most part I'd say that people do not necessarily expect fdo to work on things that are outside the desktop area. Secondly, even without a formal standard there are things we discussed at the LSB meeting that are not part of fdo, today. Although, I see principally no reason that there could not be a merging of efforts. But it is not immediately obvious what we would do with the the tests, once they are freed from the certification framework, LTP might be a good home, and how distributions can claim support for a certain feature that happens to be on fdo. For example systemd was on fdo long before distributions made the decision to use it, and Debian could just as well have decided to not use systemd, obviously the decision was rather close. Thus, fdo does not, today, provide an infrastructure where people can find a feature and then figure out what distribution actually supports the particular implementation. Thus fdo provides a colection of projects/upstream code, but it is not necessarily obvious that a given project gets picked up by the distributions just because it is on fdo. With the LSB standard (as in formal standard) approach that was fairly obvious, if it's in the LSB and a distro is LSB certified than all the features are there. In the new approach to LSB this is not immediately obvious. But there are discussions of having some kind of "pledge" system, i.e. a way for distros to "register", for lack of a better word, the features they implement. This is still valuable information for ISVs. This could certainly become an aspect of fdo, I have no problem with that. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Robert Schweikert wrote:
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Does anyone have contacts to those distros? Independent of that, what is the procedure when someone comes up with a change proposal? Do we vote on it? How? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/07/2014 05:40 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Does anyone have contacts to those distros?
Yes, within the LSB working group we have people that have contacts to Debian and Fedora.
Independent of that, what is the procedure when someone comes up with a change proposal? Do we vote on it? How?
Good question. We have nothing in place to deal with this, as such the OSEP, in a way put the cart before the horse ;) Given that the board was not in favor of introducing a technical steering commit based on the board meeting discussions in February this may or may not pose a dilemma. Of course of factory contributors decide that a steering committee is needed for such purposes there is little the elected folks can do. From my perspective it should be a consensus based decision. At this point, if I recall correctly we had just as many people opposed as in favor. So we could say this is where ideas go to die. But again I think trying to find a cross distro solution might help convince those that are currently opposed. No real answer, I know, sorry. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Robert Schweikert wrote:
On 04/07/2014 05:40 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Does anyone have contacts to those distros?
Yes, within the LSB working group we have people that have contacts to Debian and Fedora.
Could you raise their attention somehow?
Independent of that, what is the procedure when someone comes up with a change proposal? Do we vote on it? How?
Good question.
We have nothing in place to deal with this, as such the OSEP, in a way put the cart before the horse ;)
The problem is independent of OSEP. Using OSEP for this just helped to get some structure into the request. The issue is that we don't have anyone who can decide auch things.
From my perspective it should be a consensus based decision. At this point, if I recall correctly we had just as many people opposed as in favor. So we could say this is where ideas go to die. But again I think trying to find a cross distro solution might help convince those that are currently opposed.
If the goal is to always reach 100% consensus then no change will ever happen. From my PoV I could go ahead and implement the proposed policy just because I have power over rpmlint. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/08/2014 04:04 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
On 04/07/2014 05:40 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
On 03/26/2014 06:55 AM, Guido Berhoerster wrote:
after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated.
Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
This is a cross distribution problem and I do not think we should just go it alone without at least speaking with other distros. Has anyone contacted Fedora and or Debian to see if we can find a common solution?
Does anyone have contacts to those distros?
Yes, within the LSB working group we have people that have contacts to Debian and Fedora.
Could you raise their attention somehow?
Working on that while at the same time trying to test out a "new LSB" process. Reached the "Proposed Solution" stage. https://github.com/LinuxStandardBase/lsb/pull/6 If anyone has anything to add to the proposed solution please feel free to do so. The idea is to, after review by others in the LSB work group, solicit feedback from distributions in the hopes of reaching agreement on a solution.
Independent of that, what is the procedure when someone comes up with a change proposal? Do we vote on it? How?
Good question.
We have nothing in place to deal with this, as such the OSEP, in a way put the cart before the horse ;)
The problem is independent of OSEP. Using OSEP for this just helped to get some structure into the request. The issue is that we don't have anyone who can decide auch things.
Well, I think decision by consensus works.
From my perspective it should be a consensus based decision. At this point, if I recall correctly we had just as many people opposed as in favor. So we could say this is where ideas go to die. But again I think trying to find a cross distro solution might help convince those that are currently opposed.
If the goal is to always reach 100% consensus
No, and I didn't set that as goal.
then no change will ever happen.
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
From my PoV I could go ahead and implement the proposed policy just because I have power over rpmlint.
Yes you could, I am happy that you are not just implementing it but considering feedback from others. Thanks, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Robert Schweikert wrote:
On 04/08/2014 04:04 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
From my perspective it should be a consensus based decision. At this point, if I recall correctly we had just as many people opposed as in favor. So we could say this is where ideas go to die. But again I think trying to find a cross distro solution might help convince those that are currently opposed.
If the goal is to always reach 100% consensus
No, and I didn't set that as goal.
then no change will ever happen.
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this: - Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons. - Guido, Kyrill Michal, Yamaban and myself are for it. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 8 April 2014 15:11, Ludwig Nussel <ludwig.nussel@suse.de> wrote:
Well, it's pretty cumbersome to count voices in a mail thread.
I understand the desire for precision, but when the goal is 'majority consensus' (which I understand is the target for OESP proposals) then I trust the judgement of the contributors involved to be able to judge if the proposal has a strong weight of support behind it, and good grounds for not considering any dissenting opinions (of course, I'd argue the ideal is where dissenting opinions can be used to improve the original proposal, but I'm pragmatic enough to understand this isn't always going to be practical)
By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons. - Guido, Kyrill Michal, Yamaban and myself are for it.
Feel free to add my +1 in the 'for it' column, I think it's a great idea that addresses a very real issue I've seen 'in the field' as a sysadmin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/08/2014 09:17 AM, Richard Brown wrote:
On 8 April 2014 15:11, Ludwig Nussel <ludwig.nussel@suse.de> wrote:
Well, it's pretty cumbersome to count voices in a mail thread.
I understand the desire for precision, but when the goal is 'majority consensus' (which I understand is the target for OESP proposals) then I trust the judgement of the contributors involved to be able to judge if the proposal has a strong weight of support behind it, and good grounds for not considering any dissenting opinions (of course, I'd argue the ideal is where dissenting opinions can be used to improve the original proposal, but I'm pragmatic enough to understand this isn't always going to be practical)
+1, fully agree Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Richard Brown <RBrownCCB@opensuse.org> [2014-04-08 15:17]:
On 8 April 2014 15:11, Ludwig Nussel <ludwig.nussel@suse.de> wrote:
Well, it's pretty cumbersome to count voices in a mail thread.
I understand the desire for precision, but when the goal is 'majority consensus' (which I understand is the target for OESP proposals) then
Actually OSEP 0001 is very vague on this, it talks about "the list" finding either a consensus for or against it.
I trust the judgement of the contributors involved to be able to judge if the proposal has a strong weight of support behind it, and good grounds for not considering any dissenting opinions (of course, I'd argue the ideal is where dissenting opinions can be used to improve the original proposal, but I'm pragmatic enough to understand this isn't always going to be practical)
It is still not clear to me whose voice should have how much weight in this, who the constituency is from whom a consensus emerges. "The list" as in any random person who posts to opensuse-factory, or openSUSE members, or contributors to Factory? -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/08/2014 10:58 AM, Guido Berhoerster wrote:
* Richard Brown <RBrownCCB@opensuse.org> [2014-04-08 15:17]:
On 8 April 2014 15:11, Ludwig Nussel <ludwig.nussel@suse.de> wrote:
Well, it's pretty cumbersome to count voices in a mail thread.
I understand the desire for precision, but when the goal is 'majority consensus' (which I understand is the target for OESP proposals) then
Actually OSEP 0001 is very vague on this, it talks about "the list" finding either a consensus for or against it.
I trust the judgement of the contributors involved to be able to judge if the proposal has a strong weight of support behind it, and good grounds for not considering any dissenting opinions (of course, I'd argue the ideal is where dissenting opinions can be used to improve the original proposal, but I'm pragmatic enough to understand this isn't always going to be practical)
It is still not clear to me whose voice should have how much weight in this, who the constituency is from whom a consensus emerges. "The list" as in any random person who posts to opensuse-factory, or openSUSE members, or contributors to Factory?
From my point of view "the list" is -factory. Everyone that contributes to openSUSE in a technical way should be subscribed to this list. Consensus should be majority consensus among those that care enough to take part in the discussion, as mentioned in a previous replay, those that do not participate most likely do not care enough about a particular issue. The "weight of voice" question probably needs a differentiated approach. If big changes in a given package cause major waves then the maintainer voice, or group of maintainers voices, of that particular package should carry the most weight, they do the work after all. If as in this case there is no clear cut maintainer, but it is more infrastructure related, then IMHO voices should be weighted equally. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/08/2014 09:11 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
On 04/08/2014 04:04 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
From my perspective it should be a consensus based decision. At this point, if I recall correctly we had just as many people opposed as in favor. So we could say this is where ideas go to die. But again I think trying to find a cross distro solution might help convince those that are currently opposed.
If the goal is to always reach 100% consensus
No, and I didn't set that as goal.
then no change will ever happen.
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons.
I am not opposed to the solution per se, I am opposed of inventing a solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group. If no distribution consensus can be found I agree that we should solve the issue and eliminate the potential security problem with overlapping names. BTW, thanks for yuo comment son the Github pull request. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Robert Schweikert wrote:
On 04/08/2014 09:11 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons.
I am not opposed to the solution per se, I am opposed of inventing a solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group.
If no distribution consensus can be found I agree that we should solve the issue and eliminate the potential security problem with overlapping names.
Ok, so let's postpone and revisit the issue in a few weeks to see what the outcome on LSB side is. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ludwig Nussel wrote:
Robert Schweikert wrote:
On 04/08/2014 09:11 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons.
I am not opposed to the solution per se, I am opposed of inventing a solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group.
If no distribution consensus can be found I agree that we should solve the issue and eliminate the potential security problem with overlapping names.
Ok, so let's postpone and revisit the issue in a few weeks to see what the outcome on LSB side is.
So, two months later there doesn't seem to be any progress on github. What is necessary to get this approved? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le mercredi 25 juin 2014 à 09:05 +0200, Ludwig Nussel a écrit :
Ludwig Nussel wrote:
Robert Schweikert wrote:
On 04/08/2014 09:11 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons.
I am not opposed to the solution per se, I am opposed of inventing a solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group.
If no distribution consensus can be found I agree that we should solve the issue and eliminate the potential security problem with overlapping names.
Ok, so let's postpone and revisit the issue in a few weeks to see what the outcome on LSB side is.
So, two months later there doesn't seem to be any progress on github. What is necessary to get this approved?
There are "orthogonal" work being done by systemd folks on "reset to factory" mode and stateless which might affect this proposal (I didn't check very): http://0pointer.de/blog/projects/stateless.html -- Frederic Crozat Project Manager Enterprise Desktop SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/25/2014 03:49 AM, Frederic Crozat wrote:
Le mercredi 25 juin 2014 à 09:05 +0200, Ludwig Nussel a écrit :
Ludwig Nussel wrote:
Robert Schweikert wrote:
On 04/08/2014 09:11 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons.
I am not opposed to the solution per se, I am opposed of inventing a solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group.
If no distribution consensus can be found I agree that we should solve the issue and eliminate the potential security problem with overlapping names.
Ok, so let's postpone and revisit the issue in a few weeks to see what the outcome on LSB side is.
So, two months later there doesn't seem to be any progress on github. What is necessary to get this approved?
There are "orthogonal" work being done by systemd folks on "reset to factory" mode and stateless which might affect this proposal (I didn't check very): http://0pointer.de/blog/projects/stateless.html
I don't see how this will help the problem being discussed in this thread. On a different note I don't necessarily see how adding more features to systemd will make it more usable either ;) Later, Robert - -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT2AGAAAoJEE4FgL32d2UkINoH/3o9Js08nhICq6Qy7AzcF/72 Gs0N5VevpKyj2Zcbz7Ho4QdcSk0bzzipt+dNBj23rxwErvn509/qierosZzfTElh j7OApRGM5WKDtHVsQ+IIlyJe7pTR5xnVxaq+qq/u/qAxm+JTh6ojAujjZDOUXZS3 GVBHEpi/3y4rgwnyVnYDZ++b8i3u3xY+5vfM+ifVVjgYAbnapXXItwralo/m9BT2 Y2fj0QVXJ5PpAZDSNS+fBEuApfC5hXwnomAFa4k3EDsYFtt/VcedcZ7OJvyd9476 3cOV1Mrd63SijV4PC8NaFp5HAQmbCKUzucvJn9K3eOomgW69rne5lPeUxOYU9Vo= =HktK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/25/2014 03:05 AM, Ludwig Nussel wrote:
Ludwig Nussel wrote:
Robert Schweikert wrote:
On 04/08/2014 09:11 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons.
I am not opposed to the solution per se, I am opposed of inventing a solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group.
If no distribution consensus can be found I agree that we should solve the issue and eliminate the potential security problem with overlapping names.
Ok, so let's postpone and revisit the issue in a few weeks to see what the outcome on LSB side is.
So, two months later there doesn't seem to be any progress on github. What is necessary to get this approved?
So basically I am the stick in the mud. There was a request for comment on the LSB list, which I had sent. And a couple of people replied. One person from Debian, mostly positive as this very much reflects what's being done in Debian already. The other response was from the Linux From Scratch project and I have not had the time to digest, respond to that. The next steps are digest/respond to the LFS comments, then solicit the proposal here, with Fedora, Debian, and Ubuntu to see wht happens. Given that every time I appear to be seeing the light of day some stupid ass issue blows up that takes days out of my life I am not certain when I will get back to this, sorry. Later, Robert - -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT2ACcAAoJEE4FgL32d2Uk4asH/3ymmpHPlv99ZTkxWr5bn5bJ BaT1pzfWMJcdqKyfW1B/qJNgt3JiS3CzUnFz3Tq2Si4P6CGbXyz1ATe4W4jD/GXf Z5EQyBjVxKoBPAeg7oquvQSp3q5ItzxAdReXQIM4fmEsGTgdRsj+u/Om4nsLYJpI cId4K2IhErpkN8PwDWfhSgxJbCyhFarYTewo7TXNvRyQ3pD6sO/rXDS6+j54CXuB QFw5S/n/XRalookbvTEKNxize/eszgAEw6hvKJvGxdvsFD9FR5k2fp0Zfp0huq1o 9XMcuk9B7DjQQ76QvrP+kYxd4E+COXOPQh5Jx1u9UhIRL3LJn6bL4PXAB0DCzvU= =/jGD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Robert Schweikert <rjschwei@suse.com> [2014-04-08 15:41]:
solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group.
Where can I follow this (apart from the github bug)? -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/08/2014 10:59 AM, Guido Berhoerster wrote:
* Robert Schweikert <rjschwei@suse.com> [2014-04-08 15:41]:
solution without seeking consensus across distributions and am willing to put in the work to seek the consensus, thus I am pushing the route via the LSB working group.
Where can I follow this (apart from the github bug)?
https://github.com/LinuxStandardBase/lsb The"Problem Statement" is checked in, the solution proposal is pending as pull request 7 and Ludwig has already been busy providing feedback. Of course anyone can send pull requests. HTH, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead Public Cloud Architect rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday 08 April 2014 15.11:06 Ludwig Nussel wrote:
Robert Schweikert wrote:
On 04/08/2014 04:04 AM, Ludwig Nussel wrote:
Robert Schweikert wrote:
From my perspective it should be a consensus based decision. At this point, if I recall correctly we had just as many people opposed as in favor. So we could say this is where ideas go to die. But again I think trying to find a cross distro solution might help convince those that are currently opposed.
If the goal is to always reach 100% consensus
No, and I didn't set that as goal.
then no change will ever happen.
I agree 100% consensus is not attainable. My thoughts are along the lines that in any such discussion the majority of people (maintainers) will not voice their opinion. This should be interpreted as, they don't care about this particular topic, from my point of view. Those that make an effort to respond, care, and it should be possible to find majority consensus among those. For this specific issue I don't think we have reached majority consensus yet.
Well, it's pretty cumbersome to count voices in a mail thread. By counting manually I get this:
- Eight people commented, asked questions or discussed something else where I couldn't identify a clear pro or con. - Sascha does not seem to be against the proposal as long as the review team is not bothered and there are exceptions possible. - Christian and Robert are against it but for different reasons. - Guido, Kyrill Michal, Yamaban and myself are for it.
cu Ludwig
As it impact some of my installation, having local group starting by _ I reserve my opinion on the implementation of renaming -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Board GPG KEY : D5C9B751C4653227 irc: tigerfoot ~~~Don't take Life too serious. Nobody gets out alive anyway!~~~ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (20)
-
Andreas Jaeger -
Bernhard Voelker -
Bruno Friedmann -
Cristian Rodríguez -
denisart benjamin2 -
Dirk Müller -
Frederic Crozat -
Greg KH -
Greg KH -
Guido Berhoerster -
Henne Vogelsang -
Jan Engelhardt -
Joachim Schrod -
Kyrill Detinov -
Ludwig Nussel -
Michal Hrusecky -
Richard Brown -
Robert Schweikert -
Sascha Peilicke -
Yamaban