On Tue, Oct 12, 2021 at 11:33 AM Ben Cotton <bcotton(a)redhat.com> wrote:
=== 1. It is difficult to deliver updates to configurations ===
FIles /etc/nsswitch.conf and /etc/pam.d/* are distributed as
%config(noreplace) which means that they are configuration files and
are only installed if they are not yet present. If they are present
then they are never overwritten with package updates, instead an
*.rpmnew file is created and the update responsibility is left
completely to the user.
It is done this way to prevent overwriting user changes
configurations. But at the same time it means that even configurations
that are not modified by the users can not be changed so we can not
deliver fixes and changes efficiently.
It is only possible through difficult scriptlets. As an example, we
can show this bugzilla where a change in Gnome required an update to
PAM otherwise the user could not authenticate. Delivering the change
was easy with authselect, but difficult for non-authselect systems.
Authselect already knows how the resulting configuration should look
and does not risk overriding user configuration. Making it mandatory
will help distribute important updates to nsswitch and PAM
configuration.
PAM gained support for systemd-style overlay configuration some time
ago. Actually a number of core system components did, if the libeconf
dependency is turned on. Instead of forcing authselect, we should
probably make sure base functional configuration is shipped in
something like /usr/share/pam/pam.d or something like that.
Not that I think authselect is bad, but I think it's a bad hammer to
solve this problem.
--
真実はいつも一つ!/ Always, there's only one truth!