| 1 |
On Tuesday, November 29, 2016 04:49:24 PM William L. Thomson Jr. wrote: |
| 2 |
> On Tuesday, November 29, 2016 10:40:20 AM EST Michael Mol wrote: |
| 3 |
> > Highly detailed lists like that--used as a broad standard--are a bad idea. |
| 4 |
> > They represent a single synchronization point that everyone must adhere |
| 5 |
> > to. |
| 6 |
> |
| 7 |
> That is a statement based on opinion. |
| 8 |
|
| 9 |
Of course. And then I gave examples as to why. |
| 10 |
|
| 11 |
> You say it is a bad idea. I say it is |
| 12 |
> necessary and needed. Otherwise wrt to Gentoo ebuilds can stomp on each |
| 13 |
> other. Using same GID or UID in more than one ebuild causing problems. |
| 14 |
> There has to be something know so others do not use ones others are |
| 15 |
> already. |
| 16 |
|
| 17 |
If Gentoo wants to do it internally, that's one thing. But I would recommend |
| 18 |
against inviting other distributions to use Gentoo's list, which was something |
| 19 |
you seemed to be suggesting. Doing so asks that Gentoo shoulder the |
| 20 |
bureaucratic load from other distributions that want things added to Gentoo's |
| 21 |
list. |
| 22 |
|
| 23 |
> |
| 24 |
> > That means that every prospective adjustment to the list requires active |
| 25 |
> > maintenance. That means that for every new daemon someone writes, they |
| 26 |
> > have |
| 27 |
> > to go through an admissions process. For every contentious fork of a |
| 28 |
> > project, you risk conflict over who the designated contact for the |
| 29 |
> > assignment should be. |
| 30 |
> |
| 31 |
> If they package such in Gentoo someone is making a call as to what UID and |
| 32 |
> GID should be used. If you think about it from packaging said new daemon in |
| 33 |
> Gentoo, it is a MUST. |
| 34 |
> |
| 35 |
> If it does not exist, should it be entirely random from the packager |
| 36 |
> perspective? What if they use a GID/UID specific to them and not others. |
| 37 |
> |
| 38 |
> There has to be some standard some consistency in Gentoo. |
| 39 |
|
| 40 |
If you want to tie this specifically to Gentoo packaging, that's fine. Though |
| 41 |
I'd recommend you put the user and group allocation in the ebuild. Then your |
| 42 |
"list" is trivially generable by parsing portage. Further, you can *enforce* |
| 43 |
these allocations when calculating the dependency tree. If you're not |
| 44 |
enforcing them, what's the point? Is there a benefit without said enforcement? |
| 45 |
|
| 46 |
> |
| 47 |
> > It adds a large bureaucratic load on everyone. Every itch some developer |
| 48 |
> > thinks about scratching has to be weighed against engaging with some |
| 49 |
> > process- laden entity. Maybe they'll participate, but they likely won't. |
| 50 |
> |
| 51 |
> Gentoo shines at bureaucratic load. That may be one of the only things |
| 52 |
> Gentoo is really good at, needless bureaucratic loads that just slow things |
| 53 |
> down and fracture the community, exherbo, funtoo, and likely others... |
| 54 |
|
| 55 |
I was under the impression that Gentoo was chronically undermanned for even |
| 56 |
the workload it has. |
| 57 |
|
| 58 |
> |
| 59 |
> This is not needless bureaucracy , this is necessary. |
| 60 |
|
| 61 |
Opinion. Why is it necessary? What is it necessary for? |
| 62 |
|
| 63 |
> |
| 64 |
> > Have you watched the IANA ports assignment registry over the years? |
| 65 |
> > Consider how many services and tools you've seen that *don't* respect it. |
| 66 |
> |
| 67 |
> Yes, how often to ports < 1024 change? Hardly ever.... Proving the exact |
| 68 |
> point why this is needed. People can change them themselves but 99% of the |
| 69 |
> time its to some other port > 1024. |
| 70 |
> |
| 71 |
> Why is there IANA port assignment registry in the first place? Likely for a |
| 72 |
> similar reason. |
| 73 |
|
| 74 |
How relevant even *is* the <1024 distinction any longer? Once upon a time, the |
| 75 |
idea was you had to have special privileges to open those ports. Now, there is |
| 76 |
really no reason for anyone to care; capabilities-oriented permissions |
| 77 |
completely obviated the need, and I can only think of ssh, telnet and ftp and |
| 78 |
as server services that should require special host privileges to |
| 79 |
operate...and that's only because they may need to be able to call setuid(). |
| 80 |
|
| 81 |
And because the <1024 port privilege distinction has been so restrictive and |
| 82 |
bureaucratically sloggish, applications adapted to use ports above 1024. |
| 83 |
Games? Sync utilities? Proxy servers? Far more commonly-observed ports are |
| 84 |
above 1024 than below it, and many (most?) don't even get added to IANA's |
| 85 |
list. *That's* why the <1024 ports don't change much; the feature is obsolete, |
| 86 |
and users don't bother. |
| 87 |
|
| 88 |
As an example, I just checked on Syncthing, to see if its three ports were on |
| 89 |
IANA's list. They're not, and I stumbled across a Github issue where the devs |
| 90 |
flatly stated they didn't care. |
| 91 |
|
| 92 |
The IANA ports list is, by and large, obsolete. It became obsolete because it |
| 93 |
was too much a hassle for people to participate in. |
| 94 |
|
| 95 |
> |
| 96 |
> > All of this is why we use identity management tools like LDAP in the first |
| 97 |
> > place. Heck, it's why we have passwd and group files for mapping names to |
| 98 |
> > ids and didn't simply hardcode system IDs decades ago. |
| 99 |
> |
| 100 |
> LDAP typical manages user accounts not system. If the LDAP server is not |
| 101 |
> reachable you would make a system completely nonfunctional if it relied on |
| 102 |
> LDAP for system accounts. |
| 103 |
|
| 104 |
That's fair. Although I really like how one LDAP alternative operates over |
| 105 |
DNS, permitting local caching. (I can't for the life of me remember the name |
| 106 |
of that system, though.) |
| 107 |
|
| 108 |
> |
| 109 |
> Also needed from a file sharing stand point of view if sharing parts of a |
| 110 |
> system across others. You need consistent GID/UID mappings or things like |
| 111 |
> NFS will have lots of problems. |
| 112 |
> |
| 113 |
> Package a few things in Gentoo that need a UID and/or GID and you will start |
| 114 |
> to understand the problem from a operating system packager perspective. |
| 115 |
|
| 116 |
Oh, I understand the problem, but you haven't explained why your solution is |
| 117 |
the necessary solution to it, or how you would cope with the plethora of edge |
| 118 |
cases I brought up. It would seem there are already many established |
| 119 |
workarounds for the status quo, unstable-UID/GID in a cross-system context. |
| 120 |
|
| 121 |
Now, would I like to see stable UIDs and GIDs? Sure. For a couple of years, |
| 122 |
I've been toying with the idea of having IPSEC AH packets tagging packets with |
| 123 |
the UID of the process that generated them, for diagnostic and auditing |
| 124 |
purposes. Stable UIDs would make that more useful. |
| 125 |
|
| 126 |
But trying to set up a list for everyone to move in lockstep with seems to me |
| 127 |
like a bad way to go. Less bad if you intend to keep it unique to Gentoo, but |
| 128 |
the broader you make the scope, the more strain you'll put on the ecosystem as |
| 129 |
a whole. More daemons will be build that are intended to run as local users. |
| 130 |
More software will be pushed into opaque blobs a la Snap and Flatpack. |
| 131 |
|
| 132 |
As a general rule, the bigger the hassle you make something, the less people |
| 133 |
will want to engage. |
| 134 |
|
| 135 |
|
| 136 |
-- |
| 137 |
:wq |
Archives