1 |
On 29/11/2016 23:49, William L. Thomson Jr. wrote: |
2 |
> On Tuesday, November 29, 2016 10:40:20 AM EST Michael Mol wrote: |
3 |
>> |
4 |
>> |
5 |
>> Highly detailed lists like that--used as a broad standard--are a bad idea. |
6 |
>> They represent a single synchronization point that everyone must adhere to. |
7 |
> |
8 |
> That is a statement based on opinion. You say it is a bad idea. I say it is |
9 |
> necessary and needed. Otherwise wrt to Gentoo ebuilds can stomp on each other. |
10 |
> Using same GID or UID in more than one ebuild causing problems. There has to |
11 |
> be something know so others do not use ones others are already. |
12 |
|
13 |
Why would you end up with duplicated UIDs and GIDs? The only real ways |
14 |
that can happen is |
15 |
- ebuild "edits" passwd and group directly using echo/sed and the like. |
16 |
- ebuild runs useradd|groupadd specifying the uid/gid as arguments |
17 |
|
18 |
Both of which are silly. Just use useradd/groupadd without uid/gid |
19 |
arguments. The utility will make sure the uid/gids are non-duplicate, |
20 |
and ensure they are <1000 or whatever for system accounts |
21 |
|
22 |
> |
23 |
>> That means that every prospective adjustment to the list requires active |
24 |
>> maintenance. That means that for every new daemon someone writes, they have |
25 |
>> to go through an admissions process. For every contentious fork of a |
26 |
>> project, you risk conflict over who the designated contact for the |
27 |
>> assignment should be. |
28 |
> |
29 |
> If they package such in Gentoo someone is making a call as to what UID and GID |
30 |
> should be used. If you think about it from packaging said new daemon in |
31 |
> Gentoo, it is a MUST. |
32 |
|
33 |
How do you intend to MAKE devs follow it? More eternal bike-shedding? |
34 |
|
35 |
> If it does not exist, should it be entirely random from the packager |
36 |
> perspective? What if they use a GID/UID specific to them and not others. |
37 |
> |
38 |
> There has to be some standard some consistency in Gentoo. |
39 |
|
40 |
Who cares what the uid/gid is? There's a range of about 950 to chose |
41 |
from. The way to ensure a filesystem object has the correct owner and |
42 |
group is by using chown/chgrp. |
43 |
|
44 |
Except for a few cases out on left field (like nfs shares - a problem |
45 |
that nfs must fix) you don't really care what the uid/gid is, as long as |
46 |
it's not duplicated. The thing you care about is the NAME |
47 |
|
48 |
> |
49 |
>> It adds a large bureaucratic load on everyone. Every itch some developer |
50 |
>> thinks about scratching has to be weighed against engaging with some |
51 |
>> process- laden entity. Maybe they'll participate, but they likely won't. |
52 |
> |
53 |
> Gentoo shines at bureaucratic load. That may be one of the only things Gentoo |
54 |
> is really good at, needless bureaucratic loads that just slow things down and |
55 |
> fracture the community, exherbo, funtoo, and likely others... |
56 |
> |
57 |
> This is not needless bureaucracy , this is necessary. |
58 |
|
59 |
This is a joke right? |
60 |
|
61 |
>> Have you watched the IANA ports assignment registry over the years? Consider |
62 |
>> how many services and tools you've seen that *don't* respect it. |
63 |
> |
64 |
> Yes, how often to ports < 1024 change? Hardly ever.... Proving the exact point |
65 |
> why this is needed. People can change them themselves but 99% of the time its |
66 |
> to some other port > 1024. |
67 |
> |
68 |
> Why is there IANA port assignment registry in the first place? Likely for a |
69 |
> similar reason. |
70 |
|
71 |
It's so that things like browsers, email tools and the like can drop |
72 |
:<port> for the most part and be reasonably sure stuffs will still work. |
73 |
|
74 |
Of the 65535 +-1 possible port numbers, only the first 1024 are truly |
75 |
important, and of those less than about a quarter are in common use |
76 |
(wild guess). |
77 |
|
78 |
The next 10,000 or so are not standards by any means, just a list of |
79 |
stuff that happens to have been seen in the wild. Apps can and do pick |
80 |
any old port they feel like - witness the several things that will use |
81 |
5000 out the box. Is this a problem? Not really, as very very few |
82 |
machines out there will install two apps both trying to use port 5000 by |
83 |
default. |
84 |
|
85 |
The top 45,000 - well that's a free-for-all. Mostly only used as source |
86 |
ports used by apps trying to contact other apps, and not by listeners. |
87 |
|
88 |
When looked at IANA port assignments in this light, it really does seem |
89 |
to be a case of the minimum necessary bureaucracy to make things mostly |
90 |
nicely most of the time, and not at all a case of bureaucracy to |
91 |
standardize things as you seem to be arguing. |
92 |
|
93 |
> |
94 |
>> All of this is why we use identity management tools like LDAP in the first |
95 |
>> place. Heck, it's why we have passwd and group files for mapping names to |
96 |
>> ids and didn't simply hardcode system IDs decades ago. |
97 |
> |
98 |
> LDAP typical manages user accounts not system. If the LDAP server is not |
99 |
> reachable you would make a system completely nonfunctional if it relied on |
100 |
> LDAP for system accounts. |
101 |
> |
102 |
> Also needed from a file sharing stand point of view if sharing parts of a |
103 |
> system across others. You need consistent GID/UID mappings or things like NFS |
104 |
> will have lots of problems. |
105 |
|
106 |
NFS is an edge case. Maybe edge is not the best possible adjective here, |
107 |
but it certainly isn't the one killer app that requires the whole |
108 |
uid/gid scheme needing to be locked down. |
109 |
|
110 |
People running into NFS uid/gid problems can figure out their own ways |
111 |
to deal with it, (and that doesn't always imply mapping everything to |
112 |
root plus norootsquash...) |
113 |
|
114 |
> Package a few things in Gentoo that need a UID and/or GID and you will start |
115 |
> to understand the problem from a operating system packager perspective. |
116 |
|
117 |
I have packaged a few things in Gentoo (privately only), and written |
118 |
more shell installers, puppet manifests, ansible playbooks and user |
119 |
account deployers than I care to recall; I've never run into this |
120 |
problem that I couldn't solve trivially - usually by just knowing the |
121 |
username|groupname and looking up the corresponding uid/gid. Really, |
122 |
it's just data mapping and we have tools to do the lookup real fast. |
123 |
|
124 |
-- |
125 |
Alan McKinnon |
126 |
alan.mckinnon@×××××.com |