| 1 |
On 29/11/2016 23:49, William L. Thomson Jr. wrote: |
| 2 |
> On Tuesday, November 29, 2016 10:40:20 AM EST Michael Mol wrote: |
| 3 |
>> |
| 4 |
>> |
| 5 |
>> Highly detailed lists like that--used as a broad standard--are a bad idea. |
| 6 |
>> They represent a single synchronization point that everyone must adhere to. |
| 7 |
> |
| 8 |
> That is a statement based on opinion. You say it is a bad idea. I say it is |
| 9 |
> necessary and needed. Otherwise wrt to Gentoo ebuilds can stomp on each other. |
| 10 |
> Using same GID or UID in more than one ebuild causing problems. There has to |
| 11 |
> be something know so others do not use ones others are already. |
| 12 |
|
| 13 |
Why would you end up with duplicated UIDs and GIDs? The only real ways |
| 14 |
that can happen is |
| 15 |
- ebuild "edits" passwd and group directly using echo/sed and the like. |
| 16 |
- ebuild runs useradd|groupadd specifying the uid/gid as arguments |
| 17 |
|
| 18 |
Both of which are silly. Just use useradd/groupadd without uid/gid |
| 19 |
arguments. The utility will make sure the uid/gids are non-duplicate, |
| 20 |
and ensure they are <1000 or whatever for system accounts |
| 21 |
|
| 22 |
> |
| 23 |
>> That means that every prospective adjustment to the list requires active |
| 24 |
>> maintenance. That means that for every new daemon someone writes, they have |
| 25 |
>> to go through an admissions process. For every contentious fork of a |
| 26 |
>> project, you risk conflict over who the designated contact for the |
| 27 |
>> assignment should be. |
| 28 |
> |
| 29 |
> If they package such in Gentoo someone is making a call as to what UID and GID |
| 30 |
> should be used. If you think about it from packaging said new daemon in |
| 31 |
> Gentoo, it is a MUST. |
| 32 |
|
| 33 |
How do you intend to MAKE devs follow it? More eternal bike-shedding? |
| 34 |
|
| 35 |
> If it does not exist, should it be entirely random from the packager |
| 36 |
> perspective? What if they use a GID/UID specific to them and not others. |
| 37 |
> |
| 38 |
> There has to be some standard some consistency in Gentoo. |
| 39 |
|
| 40 |
Who cares what the uid/gid is? There's a range of about 950 to chose |
| 41 |
from. The way to ensure a filesystem object has the correct owner and |
| 42 |
group is by using chown/chgrp. |
| 43 |
|
| 44 |
Except for a few cases out on left field (like nfs shares - a problem |
| 45 |
that nfs must fix) you don't really care what the uid/gid is, as long as |
| 46 |
it's not duplicated. The thing you care about is the NAME |
| 47 |
|
| 48 |
> |
| 49 |
>> It adds a large bureaucratic load on everyone. Every itch some developer |
| 50 |
>> thinks about scratching has to be weighed against engaging with some |
| 51 |
>> process- laden entity. Maybe they'll participate, but they likely won't. |
| 52 |
> |
| 53 |
> Gentoo shines at bureaucratic load. That may be one of the only things Gentoo |
| 54 |
> is really good at, needless bureaucratic loads that just slow things down and |
| 55 |
> fracture the community, exherbo, funtoo, and likely others... |
| 56 |
> |
| 57 |
> This is not needless bureaucracy , this is necessary. |
| 58 |
|
| 59 |
This is a joke right? |
| 60 |
|
| 61 |
>> Have you watched the IANA ports assignment registry over the years? Consider |
| 62 |
>> how many services and tools you've seen that *don't* respect it. |
| 63 |
> |
| 64 |
> Yes, how often to ports < 1024 change? Hardly ever.... Proving the exact point |
| 65 |
> why this is needed. People can change them themselves but 99% of the time its |
| 66 |
> to some other port > 1024. |
| 67 |
> |
| 68 |
> Why is there IANA port assignment registry in the first place? Likely for a |
| 69 |
> similar reason. |
| 70 |
|
| 71 |
It's so that things like browsers, email tools and the like can drop |
| 72 |
:<port> for the most part and be reasonably sure stuffs will still work. |
| 73 |
|
| 74 |
Of the 65535 +-1 possible port numbers, only the first 1024 are truly |
| 75 |
important, and of those less than about a quarter are in common use |
| 76 |
(wild guess). |
| 77 |
|
| 78 |
The next 10,000 or so are not standards by any means, just a list of |
| 79 |
stuff that happens to have been seen in the wild. Apps can and do pick |
| 80 |
any old port they feel like - witness the several things that will use |
| 81 |
5000 out the box. Is this a problem? Not really, as very very few |
| 82 |
machines out there will install two apps both trying to use port 5000 by |
| 83 |
default. |
| 84 |
|
| 85 |
The top 45,000 - well that's a free-for-all. Mostly only used as source |
| 86 |
ports used by apps trying to contact other apps, and not by listeners. |
| 87 |
|
| 88 |
When looked at IANA port assignments in this light, it really does seem |
| 89 |
to be a case of the minimum necessary bureaucracy to make things mostly |
| 90 |
nicely most of the time, and not at all a case of bureaucracy to |
| 91 |
standardize things as you seem to be arguing. |
| 92 |
|
| 93 |
> |
| 94 |
>> All of this is why we use identity management tools like LDAP in the first |
| 95 |
>> place. Heck, it's why we have passwd and group files for mapping names to |
| 96 |
>> ids and didn't simply hardcode system IDs decades ago. |
| 97 |
> |
| 98 |
> LDAP typical manages user accounts not system. If the LDAP server is not |
| 99 |
> reachable you would make a system completely nonfunctional if it relied on |
| 100 |
> LDAP for system accounts. |
| 101 |
> |
| 102 |
> Also needed from a file sharing stand point of view if sharing parts of a |
| 103 |
> system across others. You need consistent GID/UID mappings or things like NFS |
| 104 |
> will have lots of problems. |
| 105 |
|
| 106 |
NFS is an edge case. Maybe edge is not the best possible adjective here, |
| 107 |
but it certainly isn't the one killer app that requires the whole |
| 108 |
uid/gid scheme needing to be locked down. |
| 109 |
|
| 110 |
People running into NFS uid/gid problems can figure out their own ways |
| 111 |
to deal with it, (and that doesn't always imply mapping everything to |
| 112 |
root plus norootsquash...) |
| 113 |
|
| 114 |
> Package a few things in Gentoo that need a UID and/or GID and you will start |
| 115 |
> to understand the problem from a operating system packager perspective. |
| 116 |
|
| 117 |
I have packaged a few things in Gentoo (privately only), and written |
| 118 |
more shell installers, puppet manifests, ansible playbooks and user |
| 119 |
account deployers than I care to recall; I've never run into this |
| 120 |
problem that I couldn't solve trivially - usually by just knowing the |
| 121 |
username|groupname and looking up the corresponding uid/gid. Really, |
| 122 |
it's just data mapping and we have tools to do the lookup real fast. |
| 123 |
|
| 124 |
-- |
| 125 |
Alan McKinnon |
| 126 |
alan.mckinnon@×××××.com |
Archives