1 |
On Tuesday, November 29, 2016 04:49:24 PM William L. Thomson Jr. wrote: |
2 |
> On Tuesday, November 29, 2016 10:40:20 AM EST Michael Mol wrote: |
3 |
> > Highly detailed lists like that--used as a broad standard--are a bad idea. |
4 |
> > They represent a single synchronization point that everyone must adhere |
5 |
> > to. |
6 |
> |
7 |
> That is a statement based on opinion. |
8 |
|
9 |
Of course. And then I gave examples as to why. |
10 |
|
11 |
> You say it is a bad idea. I say it is |
12 |
> necessary and needed. Otherwise wrt to Gentoo ebuilds can stomp on each |
13 |
> other. Using same GID or UID in more than one ebuild causing problems. |
14 |
> There has to be something know so others do not use ones others are |
15 |
> already. |
16 |
|
17 |
If Gentoo wants to do it internally, that's one thing. But I would recommend |
18 |
against inviting other distributions to use Gentoo's list, which was something |
19 |
you seemed to be suggesting. Doing so asks that Gentoo shoulder the |
20 |
bureaucratic load from other distributions that want things added to Gentoo's |
21 |
list. |
22 |
|
23 |
> |
24 |
> > That means that every prospective adjustment to the list requires active |
25 |
> > maintenance. That means that for every new daemon someone writes, they |
26 |
> > have |
27 |
> > to go through an admissions process. For every contentious fork of a |
28 |
> > project, you risk conflict over who the designated contact for the |
29 |
> > assignment should be. |
30 |
> |
31 |
> If they package such in Gentoo someone is making a call as to what UID and |
32 |
> GID should be used. If you think about it from packaging said new daemon in |
33 |
> Gentoo, it is a MUST. |
34 |
> |
35 |
> If it does not exist, should it be entirely random from the packager |
36 |
> perspective? What if they use a GID/UID specific to them and not others. |
37 |
> |
38 |
> There has to be some standard some consistency in Gentoo. |
39 |
|
40 |
If you want to tie this specifically to Gentoo packaging, that's fine. Though |
41 |
I'd recommend you put the user and group allocation in the ebuild. Then your |
42 |
"list" is trivially generable by parsing portage. Further, you can *enforce* |
43 |
these allocations when calculating the dependency tree. If you're not |
44 |
enforcing them, what's the point? Is there a benefit without said enforcement? |
45 |
|
46 |
> |
47 |
> > It adds a large bureaucratic load on everyone. Every itch some developer |
48 |
> > thinks about scratching has to be weighed against engaging with some |
49 |
> > process- laden entity. Maybe they'll participate, but they likely won't. |
50 |
> |
51 |
> Gentoo shines at bureaucratic load. That may be one of the only things |
52 |
> Gentoo is really good at, needless bureaucratic loads that just slow things |
53 |
> down and fracture the community, exherbo, funtoo, and likely others... |
54 |
|
55 |
I was under the impression that Gentoo was chronically undermanned for even |
56 |
the workload it has. |
57 |
|
58 |
> |
59 |
> This is not needless bureaucracy , this is necessary. |
60 |
|
61 |
Opinion. Why is it necessary? What is it necessary for? |
62 |
|
63 |
> |
64 |
> > Have you watched the IANA ports assignment registry over the years? |
65 |
> > Consider how many services and tools you've seen that *don't* respect it. |
66 |
> |
67 |
> Yes, how often to ports < 1024 change? Hardly ever.... Proving the exact |
68 |
> point why this is needed. People can change them themselves but 99% of the |
69 |
> time its to some other port > 1024. |
70 |
> |
71 |
> Why is there IANA port assignment registry in the first place? Likely for a |
72 |
> similar reason. |
73 |
|
74 |
How relevant even *is* the <1024 distinction any longer? Once upon a time, the |
75 |
idea was you had to have special privileges to open those ports. Now, there is |
76 |
really no reason for anyone to care; capabilities-oriented permissions |
77 |
completely obviated the need, and I can only think of ssh, telnet and ftp and |
78 |
as server services that should require special host privileges to |
79 |
operate...and that's only because they may need to be able to call setuid(). |
80 |
|
81 |
And because the <1024 port privilege distinction has been so restrictive and |
82 |
bureaucratically sloggish, applications adapted to use ports above 1024. |
83 |
Games? Sync utilities? Proxy servers? Far more commonly-observed ports are |
84 |
above 1024 than below it, and many (most?) don't even get added to IANA's |
85 |
list. *That's* why the <1024 ports don't change much; the feature is obsolete, |
86 |
and users don't bother. |
87 |
|
88 |
As an example, I just checked on Syncthing, to see if its three ports were on |
89 |
IANA's list. They're not, and I stumbled across a Github issue where the devs |
90 |
flatly stated they didn't care. |
91 |
|
92 |
The IANA ports list is, by and large, obsolete. It became obsolete because it |
93 |
was too much a hassle for people to participate in. |
94 |
|
95 |
> |
96 |
> > All of this is why we use identity management tools like LDAP in the first |
97 |
> > place. Heck, it's why we have passwd and group files for mapping names to |
98 |
> > ids and didn't simply hardcode system IDs decades ago. |
99 |
> |
100 |
> LDAP typical manages user accounts not system. If the LDAP server is not |
101 |
> reachable you would make a system completely nonfunctional if it relied on |
102 |
> LDAP for system accounts. |
103 |
|
104 |
That's fair. Although I really like how one LDAP alternative operates over |
105 |
DNS, permitting local caching. (I can't for the life of me remember the name |
106 |
of that system, though.) |
107 |
|
108 |
> |
109 |
> Also needed from a file sharing stand point of view if sharing parts of a |
110 |
> system across others. You need consistent GID/UID mappings or things like |
111 |
> NFS will have lots of problems. |
112 |
> |
113 |
> Package a few things in Gentoo that need a UID and/or GID and you will start |
114 |
> to understand the problem from a operating system packager perspective. |
115 |
|
116 |
Oh, I understand the problem, but you haven't explained why your solution is |
117 |
the necessary solution to it, or how you would cope with the plethora of edge |
118 |
cases I brought up. It would seem there are already many established |
119 |
workarounds for the status quo, unstable-UID/GID in a cross-system context. |
120 |
|
121 |
Now, would I like to see stable UIDs and GIDs? Sure. For a couple of years, |
122 |
I've been toying with the idea of having IPSEC AH packets tagging packets with |
123 |
the UID of the process that generated them, for diagnostic and auditing |
124 |
purposes. Stable UIDs would make that more useful. |
125 |
|
126 |
But trying to set up a list for everyone to move in lockstep with seems to me |
127 |
like a bad way to go. Less bad if you intend to keep it unique to Gentoo, but |
128 |
the broader you make the scope, the more strain you'll put on the ecosystem as |
129 |
a whole. More daemons will be build that are intended to run as local users. |
130 |
More software will be pushed into opaque blobs a la Snap and Flatpack. |
131 |
|
132 |
As a general rule, the bigger the hassle you make something, the less people |
133 |
will want to engage. |
134 |
|
135 |
|
136 |
-- |
137 |
:wq |