| 1 |
On 02/28/2014 7:47 PM, William Hubbs wrote: |
| 2 |
> On Sat, Mar 01, 2014 at 12:24:02AM +0000, David Leverton wrote: |
| 3 |
>> William Hubbs wrote: |
| 4 |
>>> And I would argue that the maintenance cost of having separate /usr in a |
| 5 |
>>> general sense is much higher than the benefit it provides. |
| 6 |
>> |
| 7 |
>> That's a legitimate point (not that I necessarily agree or disagree as |
| 8 |
>> I'm not the one who's tried to make it work) - perhaps I should have |
| 9 |
>> acknowledged that it's still a trade-off. I'm just trying to get rid of |
| 10 |
>> the meme that whatever benefits do exist somehow don't count because |
| 11 |
>> they weren't planned in the original Unix design. |
| 12 |
> |
| 13 |
> Actually we are digressing heavily (I'm guilty too), the original point |
| 14 |
> of this thread was about the fhs and how tightly we are supposed to |
| 15 |
> follow it. |
| 16 |
> |
| 17 |
> Patrick thinks that all configuration files belong in /etc, and what has |
| 18 |
> happened is, some packages are placing default configuration |
| 19 |
> files in /lib or /usr/lib and allowing them to be overridden by files |
| 20 |
> with the exact same names and paths in /etc. His argument is that only |
| 21 |
> libraries belong in /lib or /usr/lib. |
| 22 |
> |
| 23 |
> I disagree with this based on understanding how the config system in |
| 24 |
> these packages works. Also, I don't think a distro should do this type of |
| 25 |
> patching if the patches are not accepted upstream. |
| 26 |
|
| 27 |
Digressing a little myself, but trying to remain on point, the _only_ reason |
| 28 |
I went with a split-/usr setup many years ago is because, back in the early |
| 29 |
2000's, BOTH Debian's Security Handbook AND Gentoo's Security Handbook |
| 30 |
recommended it as an option to enhance system security should all your other |
| 31 |
defenses get compromised and an attacker gets onto the filesystem. Does it |
| 32 |
completely and utterly stop all lateral movement? Nope. Probably takes a |
| 33 |
seasoned attacker all of 2-3mins to get around it. |
| 34 |
|
| 35 |
That setup has run great for years. I rarely re-install entire OSes, too, |
| 36 |
preferring to maintain and upgrade them. I.e., one of my Windows installs |
| 37 |
is over five years old, having started w/ Vista SP1 and now it's on Win7 |
| 38 |
SP1. Most people reinstall Windows twice a year because it can become |
| 39 |
cluttered up so quickly. |
| 40 |
|
| 41 |
So when that Freedesktop.org page came out a few years ago and suddenly |
| 42 |
declared that split-/usr was broken, I just felt snubbed by it. I had |
| 43 |
7-year old installs that booted just fine. Who were these freedesktop.org |
| 44 |
people that were dictating that my particular setup was suddenly broken? |
| 45 |
Call it a case of having my "geek pride" insulted. Like hell I was going to |
| 46 |
change. |
| 47 |
|
| 48 |
But, you know, in reality, they had a point. Original System V UNIX did a |
| 49 |
lot of weird things that probably made sense decades ago, but don't now. |
| 50 |
You find this virtually endemic across a lot of OSes, too: |
| 51 |
|
| 52 |
- Windows is happy to let you dribble non-OS related files all over C: |
| 53 |
(which makes backups and OS re-installs a lot of fun) -- this was fine in |
| 54 |
Win95/Win98, but became more of an issue in XP and up. Nowadays, people |
| 55 |
usually install the OS to C: and put games/programs on a separate drive |
| 56 |
entirely. |
| 57 |
|
| 58 |
- NetWare seems to roll dice when installing things into the SYS: volume. |
| 59 |
Some configs are in SYS:\SYSTEM\ETC, Apache lives in SYS:\APACHE2\, and a |
| 60 |
lot of other bits are encoded into eDirectory attributes (DNS/DHCP configs). |
| 61 |
|
| 62 |
- The *BSDs make heavy use of /usr/local for things that can confuse |
| 63 |
non-BSD users (at first). Even the install locations of Ports varies across |
| 64 |
the BSDs (FBSD has /usr/ports, DF/BSD has /usr/dports, NBSD has pkgsrc, etc). |
| 65 |
|
| 66 |
|
| 67 |
|
| 68 |
Anyways, back on point, FHS is more-or-less deprecated. It was reasonable |
| 69 |
when Linux had a small ecosystem. Now, Linux has a *huge* ecosystem that it |
| 70 |
operates in. Everything from small, embedded devices to multi-node |
| 71 |
supercomputing clusters, to servers and desktops. FHS does doesn't scale |
| 72 |
well to all of those configurations. Android pretty much ignores FHS, from |
| 73 |
what I can tell. |
| 74 |
|
| 75 |
Options really are boiled down to these three: |
| 76 |
|
| 77 |
1. Continue to support FHS as much as possible, including patching upstream |
| 78 |
packages when they violate FHS. |
| 79 |
|
| 80 |
2. Ignore FHS entirely and let upstream packages do what they want, within |
| 81 |
reason (i.e., some patching may be needed depending on if one was running |
| 82 |
Gentoo/Linux or Gentoo/FreeBSD). |
| 83 |
|
| 84 |
3. Develop our own, Gentoo-specific variant of FHS that we use and which |
| 85 |
suits the particulars of our distribution in a way that we feel is sensible |
| 86 |
(my choice). Packages are patched as appropriate, after discussion/debate. |
| 87 |
For all we know, the way an upstream package does something by default |
| 88 |
might be worth integrating into our FHS design. |
| 89 |
|
| 90 |
Further on point #3, we'd have to probably develop a high-level, |
| 91 |
kernel-agnostic layout that can be modified by kernel-specific differences. |
| 92 |
I.e., Gentoo/Linux is going to do things one way while Gentoo/FreeBSD is |
| 93 |
going to do it a different way. Ditto for Hardened or Embedded stuff. |
| 94 |
|
| 95 |
-- |
| 96 |
Joshua Kinard |
| 97 |
Gentoo/MIPS |
| 98 |
kumba@g.o |
| 99 |
4096R/D25D95E3 2011-03-28 |
| 100 |
|
| 101 |
"The past tempts us, the present confuses us, the future frightens us. And |
| 102 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 103 |
|
| 104 |
--Emperor Turhan, Centauri Republic |
Archives