Em qui., 11 de jul. de 2024 às 11:55, Paul Sopka <psopka_at_sopka.ch> escreveu:
> I will try and summarize what we have now.
>
> I hope you are fine with this.
Sure. Long e-mails get tiring to read and reply to, for both of us.
> https://skarnet.org/lists/supervision/3139.html
Frankly, your priorities when designing a replacement were very misguided.
- `/run/turnstiled/sessions` exposes similar data as your proposal's
`/run/session` folder (including being able to query the session type).
Take a closer look at the prior art before writing it off.
- Just the session data isn't enough, as you need to patch third party
software that relies on it [3]. Turnstile (or, really, any proposal that
doesn't assume a specific setup of the underlying system) allows sharing
this load with other distributions.
- Without a daemon's mediation, processes writing to the database have to
coordinate themselves with locks¹. This introduces risks and limitations
you don't want to have when said writes are happening without human
oversight [1] [2]. Turnstile is a daemon for a good reason.
- Expecting the user to directly edit scripts if they want different
behavior, instead providing some degree of built-in configurability, is not
reasonable for a packaged solution, as even the smallest user tweaks would
be in constant attrition with package upgrades.
- I won't repeat myself on why a system that relies on calling the current
generation of s6-rc upon receiving events, or processes meant to be running
in different contexts sharing the same supervision tree, especially one
with only a boot-time environment, are a bad idea.
¹Which are missing from your script entirely, which is dangerous when you
have in-place editing such as the counter and newline files.
[1]
https://skarnet.org/software/s6-rc/s6-rc.html (-b option).
[2]
https://skarnet.org/lists/supervision/0391.html
[3]
https://github.com/void-linux/void-packages/pull/44676
> Turnstile
>
> - Forks the user-tree off the turnstile process, directly related to the
> login session.
Not to _the_, but to _a_ login session. Whenever turnstiled is informed of
a log-in, it loads the PAM modules in /etc/pam.d/turnstiled, and runs
`backend run ...` as the shell. You can confirm that with a pstree;
dinit/s6-svscan are children of an intermediate "turnstiled" process, not
`login`/your display manager (see [1] for why replicating this directly on
top of a supervision suite is more trouble than it's worth).
[1]
https://jdebp.uk/FGA/dont-abuse-su-for-dropping-privileges.html,
section "PAM changed everything".
> - Needs close monitoring by the people responsible for the s6/s6-rc
> overlay/profile or at least good connection between them and the
> maintainer of the Turnstile ebuild, due to its tight integration.
I've already explained why this is not true unless you want to force the
project out of its scope, and how it's an infinitely more accurate
description for your proposal.
Instead of reducing scope and relying on a loosely coupled third party
solution, you're making a solution that marries session tracking to a
specific policy for a specific init system. I wonder where I've seen that
before.
> Did I miss anything important?
I believe you're correct on the other points.
Since I've made my points here also regarding the "user session tracking"
thread, I won't make a standalone reply to it.
> Have a nice Thursday!
Have a nice Saturday :D
Received on Sat Jul 13 2024 - 16:14:14 CEST