Re: Bug#969631: can base-passwd provide the user _apt?

To: David Kalnischkies <david@kalnischkies.de>, 969631@bugs.debian.org
Cc: deity@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#969631: can base-passwd provide the user _apt?
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 30 Aug 2021 11:53:59 +0100
Message-id: <[🔎] YSy4x4YeiVDSjdEu@riva.ucam.org>
Mail-followup-to: David Kalnischkies <david@kalnischkies.de>, 969631@bugs.debian.org, deity@lists.debian.org, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20210830103049.qab4xhawbyyhgwbs@crossbow>
References: <20200906074826.GA5168@alf.mars> <20200906074826.GA5168@alf.mars> <162987807541.1840.17399477371043520253@localhost> <20200906074826.GA5168@alf.mars> <[🔎] YSvJv1mqXvUZWgYr@riva.ucam.org> <20200906074826.GA5168@alf.mars> <[🔎] 874kb885na.fsf@hope.eyrie.org> <[🔎] YSwKkT1vwQi0vQvG@riva.ucam.org> <20200906074826.GA5168@alf.mars> <[🔎] 20210830103049.qab4xhawbyyhgwbs@crossbow>

On Mon, Aug 30, 2021 at 12:30:49PM +0200, David Kalnischkies wrote:
> On Sun, Aug 29, 2021 at 11:30:41PM +0100, Colin Watson wrote:
> > case) it seems mostly like the sort of user that could be anonymous
> > outside of the lifetime of an apt process, analogous to systemd's
> > DynamicUser.
> 
> The _apt user started as 'nobody', but quickly people complained that
> they didn't want to punch holes in their firewalls for nobody.
> 
> As Julian notes most cases in which _apt creates/owns files are things
> to fix eventually, some of which were indeed already, but that is gonna
> be hard work and probably not achievable in the short term. Especially
> if other lower hanging fruits are still in reach. We are labouring on
> _apt for more than seven years now after all.

Yeah, I suppose so.

> So, while for some/most usecases something akin to DynamicUser would be
> enough, for others a more stable user would be preferred and then there
> are also cases were it would be beneficial if the user had the same
> UID across all systems.

And that's exactly the bit that seems tricky to achieve here.  If we
only had deal with the bits that are internal to apt (as opposed to set
up manually by sysadmins) then it wouldn't be so bad.

> > But I guess there's no way to do something like that
> > outside of systemd, much less on systems that don't run systemd at all.
> 
> The problem with systemd in this context is that apt kinda needs to be
> its own systemd --user instance as apt is not a system service, but
> a service manager of its own. I doubt the systemd ecosystem offers that
> functionality, especially considering that these parts would need to be
> platform agnostic and reasonably light given they would be involved in
> (cross)bootstrap and all the other situations apt operates in.

To be clear, I wasn't literally proposing that apt should use systemd; I
don't think that would make sense.  It was just an analogy.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: Bug#969631: can base-passwd provide the user _apt?
  - From: David Kalnischkies <david@kalnischkies.de>

References:
- Re: Bug#969631: can base-passwd provide the user _apt?
  - From: Colin Watson <cjwatson@debian.org>
- Re: Bug#969631: can base-passwd provide the user _apt?
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#969631: can base-passwd provide the user _apt?
  - From: Colin Watson <cjwatson@debian.org>
- Re: Bug#969631: can base-passwd provide the user _apt?
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: Re: Bug#969631: can base-passwd provide the user _apt?
Next by Date: Re: Bug#969631: can base-passwd provide the user _apt?
Previous by thread: Re: Bug#969631: can base-passwd provide the user _apt?
Next by thread: Re: Bug#969631: can base-passwd provide the user _apt?
Index(es):
- Date
- Thread