May I remind everybody that by QA policy allocation of UIDs and GIDs
in the range 0..100 needs explicit approval by the QA lead: https://projects.gentoo.org/qa/policy-guide/user-group.html#pg0901

I have fixed the used_free_uidgids.sh script such that it will no longer recommend any IDs below 101.

In any case, we have run out of GIDs:

Recommended GID only: none
Recommended UID only: 272
Recommended UID+GID pair: none
Free UIDs: 15
Free GIDs: 0
Free UID+GID pairs: 0

The question is of course how we should move forward. Certainly, using
IDs below 100 cannot be the solution, as we would run out of these very
soon.

We could:

- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

- Open part of the range 60001..65533. Not sure if all software will be
happy with that.

- Admit that the concept of static allocation has failed, and return to
dynamic allocation.

Ulrich

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGM94QPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4u29sH/1/7RmiX6HZ3DA1uSMnGKkA+DJS7SOJAXV0B Iriki/m3bVXa11s/02TMNdC98Zt9IF2NJSVIaGfw96oNMTVCRklsSGGsZVNe1Fak VuxnaPp/SjmrYMz8+IL1e2uXf/kagsSufBb8ETYQSXeNaqo8IHzxGkj8s44Jjmq7 53lNItIl5cxhhsN158xPE+5nH62182JwD+XQaKK6yBjh+FBTLdsjozIEoi9Hkrk2 UZgsolFhIiqNaj/S+rdjE9h2D3+AH4O155dz5uJFDZwt0evoqHU/rVZPrtNu7Uj4 l4FNHGBmH7Wt7Ocen9F2TyQzq2TpBAi2WZZMVRshjQqRSLZt+5Y=
=79Hk
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FkWZXhZJXqfHCNfDpJvHcmhUbtR4lGwbN
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 11.11.2021 13.34, Florian Schmaus wrote:

On 11/11/2021 11.59, Ulrich Mueller wrote:

We could:

- Open some part of the range between 500 and 1000. For example,
   500..799, which would leave 200 IDs for dynamic allocation.

+1, since I am not aware of any significant downsides doing so.

Could you elaborate why the range 500-799 only leaves us with 200 IDs?

- Flow

Read it like this: Only 800-999 gets freed with this suggestion, as
500...999 is currently reserved for dynamic allocation. And >1000 is
also reserved.

-- juippis


--FkWZXhZJXqfHCNfDpJvHcmhUbtR4lGwbN--

-----BEGIN PGP SIGNATURE-----

iQGTBAEBCgB9FiEEltRJ9L6XRmDQCngHc4OUK43AaWIFAmGNATtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk2 RDQ0OUY0QkU5NzQ2NjBEMDBBNzgwNzczODM5NDJCOERDMDY5NjIACgkQc4OUK43A aWLb2wgAhhYKPetRPwj46wFKeCzYPciAVGgT6LuNSqtR8G2u1cOyAZ/qTqbMz7e7 Ew2ZNW+VvZ8f9Z6MDlWIl3Xla/WVpah5W4DVT+5TJ0VRxsz2frc7gxZVJDZhNrnU i7O+qYHIGcjxQXo2cLb5vbfpZeaQEWlvFaS61PaxnZUnDucw4UTH+FXqZOBS80zF sqoMlDXfZvdgV5qE/12bDPWw2Gtr5KCytZdY+eYbfwzKnuNXRNaa7fE9d1vigCwb quEFOdoKWxNHuaYV7Ip/+NNGI9Hv6IKnBmr8N7vM9peYsikQhWY+V6qRH+YbtXvl RS3QVVgTdvENQrxlxyhtcRwbt8us4A==
=isdF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/11/2021 11.59, Ulrich Mueller wrote:

We could:

- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

+1, since I am not aware of any significant downsides doing so.

Could you elaborate why the range 500-799 only leaves us with 200 IDs?

- Flow

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 11, 2021 at 6:34 AM Florian Schmaus <flow@gentoo.org> wrote:

On 11/11/2021 11.59, Ulrich Mueller wrote:

We could:

- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

+1, since I am not aware of any significant downsides doing so.

I will confess that 90% of the time that when I run into headaches due
to mismatching GID/UIDs it involves two different distros anyway. I
definitely see the value in standardization, and there is some value
in doing it at the distro level, but really most of the value would
come from doing it cross-distro.

Ultimately I think a big part of the problem is that the whole UID/GID
model in Unix is a bit broken. Of course that isn't going to change
anytime soon.

Probably still worth band-aid fixes for the time being.

--
Rich

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 11 Nov 2021, Florian Schmaus wrote:

We could:
- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

+1, since I am not aware of any significant downsides doing so.

Could you elaborate why the range 500-799 only leaves us with 200 IDs?

We still need some range for dynamic allocation. Currently that is
500..999, and would be reduced to 800..999. That seems to be on the low
side already.

In any case, 300 additional IDs may not be future proof at the rate
we're currently allocating them. So I wonder if we shouldn't move to
above 60000 immediately, or alternatively, give up the whole concept.

Ulrich

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGNAx4PHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uJMMH/1eTFcqBPef2VOhWnZlzRu24t2Z7VqL4QrCO vUiAoiWnQTDdIlPwWfBXXz10lZICnPY0/cKqHDq2J4khuIK8klCRSbG+4fImQBdP ka3hAjP60rHBPyKztVC7Y0ih3CoUpUUYNq1ast16/+EftBpEJ/WUgG07UQwur9sK XD4ADSCmqRmnzTYNiFRbXkbMQhrj7wHDc8aF1AVzoQE0qDQ7KXoSTLJbNWN7OdPa zMn6sPD2nq7CxvU6YRAnmgvHzVVgLJRYzm7aw+YQ7chuJuFc/MpRfEoZqbYyxy+W UUQyd84z68oXlCreiB4CAWqBNGfKkiQNaJGvSImF0dEE35+4xCM=
=kbSm
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 11 Nov 2021, Jaco Kroon wrote:

# getent passwd | awk -F: '{ print $3 }' | sort -g | tail -n3
37945
37946
65534 <-- this happens to be nobody.

60000 up to where?  65533?

I'd say 60001..60999 for now, and increase by another 1000 when (and if)
it will become necessary.

I'll need to make a "hole" in our
allocations but that's perfectly do-able.  Others may run into similar issues and be caught unawares (especially if UID/GID values are
allocated from some other system which may not be aware of UID/GID
values on specific servers).  Might be worth the trouble to head to

=2^31, but that will again fail on systems that still use 16-bit

UID/GID values (I'm not aware that we still support kernels older than 2.4).

More than 16 bits may be problematic with containers. IIUC some of them
use a split scheme where the upper 16 bits are reserved.

https://systemd.io/UIDS-GIDS/ basically says system users (which we're discussing here) is <1000.  systemd also already violates this statement itself just a few paragraphs down with special systemd UID and GID
ranges.  And already >60000 ranges listed here (most of 60000 to 65533
is reserved by systemd).

That's not a standard in any case, and it's dynamic allocation. So as
long as we don't fill up the whole range, things should be fine.

Ulrich

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGNEIIPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uoXQH/3Du+LtwwUBbGQ2gvqHDjQvZZr2MnFFpH+EL rFxsfUyXUIcbvudCDn7D195rHrgP+dPBtPeuuVyavYs6BvPTK4HbWu88ER78iG6m ASTFHUjWud067Huu/Zwz49DyjuT1FA5C3JfXmbcUniaf/ckFhZb9r6HOEk4PD/Ou xGBl9msuQA1jdqsMURaBBYw3ga03Jp86iLxjSAZrJX6u5upu45KbbJgQI4c1cIKQ x8R7eeeHpntH6ht5pIVCK1v5RZww0BSj8suiMyA513SSb+G+uSSXrtYhaPGc1JUa rHsR6/2msS5CVJx+GTI5R/kKfrzXj6qS0K5qN6wrNNqnlL210Xc=JAOH
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 11, 2021 at 12:48:46PM +0100, Ulrich Mueller wrote:

In any case, 300 additional IDs may not be future proof at the rate
we're currently allocating them. So I wonder if we shouldn't move to
above 60000 immediately, or alternatively, give up the whole concept.

Agreed here, I'd /like/ to stay <1000 for system IDs but I do also
feel we're just delaying the issue by using more of the dynamic range.
May as well keep it intact and larger.

Do think it's either open a range above 60000 or I guess switch to
using dynamic allocation in main ::gentoo as well (when non-critical).
--
ionen

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEx3SLh1HBoPy/yLVYskQGsLCsQzQFAmGNCPIACgkQskQGsLCs QzSwAAf/WqgKeT0DCRNVU6HNQ1A4dfpTieaDI7ng+ZEIF1RhH1pHKjiQVXi/37pQ QWvu2OZaTA00IS957sK5KsUc/O8MXVu7cGmzOnUXDM2PiMP14xiK872zoGDUDYo1 DRQ1ou+oIQZ96eESC4Ua1qXjRD7CHI/BCBtpyV3BUordCj8i5uXeWDJdrLtYeUIP 4yo4fzjeVmLaMJr+fNHpOZEGTeO0AJurtiu22Ten9W9zsn01gUh//bCvwqMIAIkf 3MCdH6PMKyaJPgcGk8mKe8QVUXeniZJTGNESOCi+qYS/o5PvXo4B5ISwv9DVwOJP V0Uxt6dJ0fyFtRCAOkcilOFqG0Tz4A==
=sNU4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 2021/11/11 14:10, Pacho Ramos wrote:

In any case, 300 additional IDs may not be future proof at the rate

we're currently allocating them. So I wonder if we shouldn't move to
above 60000 immediately, or alternatively, give up the whole concept.

Ulrich

Personally I would move to >60000 and keep the 300 additional IDs for the case
some software really really needs them

# getent passwd | awk -F: '{ print $3 }' | sort -g | tail -n3
37945
37946
65534 <-- this happens to be nobody.

60000 up to where?  65533?  I'll need to make a "hole" in our

allocations but that's perfectly do-able.  Others may run into similar
issues and be caught unawares (especially if UID/GID values are
allocated from some other system which may not be aware of UID/GID
values on specific servers).  Might be worth the trouble to head to

=2^31, but that will again fail on systems that still use 16-bit

UID/GID values (I'm not aware that we still support kernels older than 2.4).

https://systemd.io/UIDS-GIDS/ basically says system users (which we're discussing here) is <1000.  systemd also already violates this statement itself just a few paragraphs down with special systemd UID and GID
ranges.  And already >60000 ranges listed here (most of 60000 to 65533
is reserved by systemd).

Kind Regards,
Jaco

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El jue, 11-11-2021 a las 12:48 +0100, Ulrich Mueller escribió:

On Thu, 11 Nov 2021, Florian Schmaus wrote:

We could:
- Open some part of the range between 500 and 1000. For example, 500..799, which would leave 200 IDs for dynamic allocation.

+1, since I am not aware of any significant downsides doing so.

Could you elaborate why the range 500-799 only leaves us with 200 IDs?

We still need some range for dynamic allocation. Currently that is
500..999, and would be reduced to 800..999. That seems to be on the low
side already.

In any case, 300 additional IDs may not be future proof at the rate
we're currently allocating them. So I wonder if we shouldn't move to
above 60000 immediately, or alternatively, give up the whole concept.

Ulrich

Personally I would move to >60000 and keep the 300 additional IDs for the case some software really really needs them

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEE808Ng0g83FMNupoifLEMIH/AfbwFAmGNCE0ACgkQfLEMIH/A fbyzLQf+OAYHcNDMgHwYw0uSqi2xDizeILMVo8tWCmdAd2JuLLf58OflS5qSbe1U 1J9hDBj5uYKyr+Bg2c3ncTjV64RbP5Oq2lJIsNGHpBW+l4UkxkCOg9zLja7Gy7BZ KWAHFHm5BjiRJhwxiu7DldXIGeYz5/Plc4ZaHCw0izXLQCAwDDLyKmjW+O2E6eBa ricbGBc0WBHDtCwDz038kpOgirpQ11HYON2ephvfsE33mtO5zeCLu5WeL6YvHoOi c0nzHGTRQXQ1lkP522+e2OedL0cO48PyyZlHZhr9FAvrtdYnnfnLB0XVjul2zjmU lE37hQQP+bg2LdLMKhGQLsJ4gGrgNw==
=KmGS
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/11/2021 12.48, Ulrich Mueller wrote:

On Thu, 11 Nov 2021, Florian Schmaus wrote:

We could:
- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

+1, since I am not aware of any significant downsides doing so.

Could you elaborate why the range 500-799 only leaves us with 200 IDs?

We still need some range for dynamic allocation. Currently that is
500..999, and would be reduced to 800..999. That seems to be on the low
side already.

Thanks. I simply missed the "for dynamic allocation" part in your
initial mail. :/

In any case, 300 additional IDs may not be future proof at the rate
we're currently allocating them.

I am not so sure about that. Looking at the git log of uid-gid.txt there
have been 3 allocations in the last 3 months. And around 4 months ago,
conikost allocated a lot of IDs, which probably lead to the ID space
exhaustion we are seeing. But I believe it could be possible that the ID allocation rate now stays low because we probably allocated IDs for most current use-cases now. So maybe the simplest and safest bet is to open
the range from 500-799 for static IDs.

But I don't have a strong opinion on that.

- Flow

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 11, 2021 at 5:59 AM Ulrich Mueller <ulm@gentoo.org> wrote:

May I remind everybody that by QA policy allocation of UIDs and GIDs
in the range 0..100 needs explicit approval by the QA lead: https://projects.gentoo.org/qa/policy-guide/user-group.html#pg0901

I have fixed the used_free_uidgids.sh script such that it will no longer recommend any IDs below 101.

In any case, we have run out of GIDs:

Recommended GID only: none
Recommended UID only: 272
Recommended UID+GID pair: none
Free UIDs: 15
Free GIDs: 0
Free UID+GID pairs: 0

The question is of course how we should move forward. Certainly, using
IDs below 100 cannot be the solution, as we would run out of these very
soon.

We could:

- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

This sounds like the simplest solution to me.

- Open part of the range 60001..65533. Not sure if all software will be
happy with that.

systemd has some code that special-cases ids in the "system" range.
I'm not exactly sure what impact creating system users outside above SYS_UID_MAX (login.defs) will have.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 11 Nov 2021, Mike Gilbert wrote:

- Open part of the range 60001..65533. Not sure if all software will be
happy with that.

systemd has some code that special-cases ids in the "system" range.
I'm not exactly sure what impact creating system users outside above SYS_UID_MAX (login.defs) will have.

We also have some IDs below SYS_UID_MIN (= 101) which technically is
outside the system account range of login.defs. Do these cause any
problems with systemd?

Ulrich

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGNahsPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uwu0IAIW5ineZQHP/rfznGmhVACmMPEYXx4fg/pNb 9/DI8wjA2bDUjvxd2ejADXuGAVNEiS2aCv6bY5IGBsUHyjsKBkqBGgRQsSQLOIzP vT4WIY5ieNd58lZ9sggSRn5nHynue9ooJ61uO9IKhPYFiOsFLqCP4d6R61Fs1ZWd G0ztIDXPuIJPn8JS/CQArj1vDaUU/hQ70cBA/eELc//GBwJOZP14fIl6DvmJlFp4 VjSJP001lPjxFiFgXq4FKf598Htx+CWWi3SLwzHxNoF/iQu+r+rNUcAZZsBTBBU7 Hcu4HxRjPPdLKNY2BcVV3DUAoGfmvmypkG1cijoM70JzXUiGCsM=
=GhlJ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 11, 2021 at 2:08 PM Ulrich Mueller <ulm@gentoo.org> wrote:

On Thu, 11 Nov 2021, Mike Gilbert wrote:

- Open part of the range 60001..65533. Not sure if all software will be
happy with that.

systemd has some code that special-cases ids in the "system" range.
I'm not exactly sure what impact creating system users outside above SYS_UID_MAX (login.defs) will have.

We also have some IDs below SYS_UID_MIN (= 101) which technically is
outside the system account range of login.defs. Do these cause any
problems with systemd?

That seems less likely to cause a problem. systemd considers any id <= SYS_UID_MAX to be a system id.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

gentoo definitely should not permit fixed use for installed packages in
the 500-600 range.

500+ was for many, many years the start for users, and forcing anyone to
change decades-long use of particular uids or gods is not acceptable.

really all of 101-499,701-999,60000-{nobody--} should be dynamic.

and 500-700 never touched by the distribution.

-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 11 Nov 2021, James Cloos wrote:

gentoo definitely should not permit fixed use for installed packages
in the 500-600 range.

500+ was for many, many years the start for users, and forcing anyone
to change decades-long use of particular uids or gods is not
acceptable.

really all of 101-499,701-999,60000-{nobody--} should be dynamic.

and 500-700 never touched by the distribution.

I have a snapshot of a Gentoo system from 2004 (sys-apps/shadow-4.0.3-r9
and sys-apps/pam-login-3.14). Its login.defs has the following:

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000

I see the same values in sys-apps/shadow/files/login.defs for the first
version of shadow in the tree (sys-apps/shadow-19990827-r1, committed on 2000-08-02).

So, I would conclude that Gentoo always used 1000 as minimum UID.

We could of course leave a gap for now, and allocate only 600..799.
This would leave the 500s for compatibility with very old systems.
It would have the additional advantage that we get an earlier warning
once the new range will be almost full. Even if we then allow IDs in the
60000s range, we presumably should keep some reserves of low IDs for
packages that really need them to be there.

Ulrich

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGPjrQPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uOnEH/3kNipmYrDXi5rNlzSjBwnByaIkkFiDDgU3Q w0O5PtuvpsqDfhXTIZpU/1fmnI8p8t+1Y7/EJMt8iQE4hal7NURuxssk9/MbTtiK nKD0N3WPHz+tpvZvpTIJJNt0ZahQaXsVwK7KjrjJOIi/4L622Fb8TAnI74ElA4cb aCImJBuXkj/jMybhqMHXKTZhpLCUYxvQww8M1gm1Rx7XwSYZSEI+ikyliHqe7ypt fYObrlT6dds88jonEQ3RJFYcVmr+Y9301HMBjOE5j0cHfuoXXJ9p7MHxnT5/xTm6 +vvBM8BfHe6Zdt/8jy2TCsHJl60/UvabWZaDNf8S35o3C9l6+fA=
=QVH5
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------733cgmi0x3FrkJTYa50yYS1M
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

T24gMjAyMS0xMS0xMSAxMTo1OSwgVWxyaWNoIE11ZWxsZXIgd3JvdGU6DQo+IFdlIGNvdWxk Og0KPiANCj4gLSBPcGVuIHNvbWUgcGFydCBvZiB0aGUgcmFuZ2UgYmV0d2VlbiA1MDAgYW5k IDEwMDAuIEZvciBleGFtcGxlLA0KPiAgICA1MDAuLjc5OSwgd2hpY2ggd291bGQgbGVhdmUg MjAwIElEcyBmb3IgZHluYW1pYyBhbGxvY2F0aW9uLg0KPiANCj4gLSBPcGVuIHBhcnQgb2Yg dGhlIHJhbmdlIDYwMDAxLi42NTUzMy4gTm90IHN1cmUgaWYgYWxsIHNvZnR3YXJlIHdpbGwg YmUNCj4gICAgaGFwcHkgd2l0aCB0aGF0Lg0KPiANCj4gLSBBZG1pdCB0aGF0IHRoZSBjb25j ZXB0IG9mIHN0YXRpYyBhbGxvY2F0aW9uIGhhcyBmYWlsZWQsIGFuZCByZXR1cm4gdG8NCj4g ICAgZHluYW1pYyBhbGxvY2F0aW9uLg0KDQpPbmx5IHRoZSB0aGlyZCBvcHRpb24gaXMgcmVh bGx5IHBvc3NpYmxlLg0KDQpUaGUgZmlyc3Qgb3B0aW9uICg1MDAtMTAwMCkgd291bGQgYmUg dGVjaG5pY2FsbHkgcG9zc2libGUgYnV0IHdvdWxkIA0KY2xhc2ggd2l0aCBrbm93bGVkZ2Ug cGVvcGxlIGdhaW5lZCBpbiB0aGUgcGFzdCBhbmQgd291bGQgdmlvbGF0ZSBMUElDIA0KKD1t YWtpbmcgR2VudG9vIGV2ZW4gbW9yZSBzcGVjaWFsIGFuZCB1bnVzYWJsZSBmb3IgY29tcGFu aWVzIHJlbHlpbmcgb24gDQpjZXJ0aWZpY2F0aW9ucykuDQoNCkluIGFkZGl0aW9uLCBpdCB3 b3VsZCBqdXN0IGRlbGF5IHRoZSBwcm9ibGVtIHdlIGN1cnJlbnRseSBoYXZlIGFuZCBub3Qg DQpzb2x2ZS9hZGRyZXNzIGl0Lg0KDQpBbGxvd2luZyByYW5nZXMgNjAwMDErIGlzIHRlY2hu aWNhbGx5IG5vdCBhbiBvcHRpb24uIEV4cGVjdCB0aGF0IGRhZW1vbnMgDQp1c2luZyBJRHMg PjEwMDAgd2lsbCBydW4gaW50byBwcm9ibGVtcy4gRXhwZWN0IHNlY3VyaXR5IHByb2JsZW1z IGJlY2F1c2UgDQprbm93biBzeXN0ZW0gdXNlciByYW5nZSBpcyBoYXJkY29kZWQgaW4gbWFu eSBwbGFjZXMgc28gNjAwMDErIGlzIA0KdW5leHBlY3RlZC4gVGhpcyB3aWxsIHJlYWxseSBt YWtlIEdlbnRvbyAndW5pcXVlJyBpbiBhIHJlYWxseSBiYWQgd2F5IA0KYW5kIHdpbGwgYnJl YWsgd2l0aCBldmVyeXRoaW5nIHdoaWNoIGlzL3dhcyBiZWluZyB0YXVnaHQvZG9jdW1lbnRl ZCBpbiANCnRoZSB3b3JsZC4NCg0KTGV0J3MgZmFjZSBpdDogVGhlIGlkZWEgb2Ygc3RhdGlj IElEIGFsbG9jYXRpb24gZGlkbid0IHNjYWxlLiBMZXQncyBzdG9wIA0KdGhpcyBleHBlcmlt ZW50IGJlZm9yZSBpdCBpcyB0b28gbGF0ZS4gTGlrZSB5b3Uga25vdywgSSBhbHdheXMgYXNr IHdoeSANCnNvbWVvbmUgaXMgcHJvcG9zaW5nIGEgY2hhbmdlLCBpLmUuIGFza2luZyBmb3Ig dGhlIG1vdGl2YXRpb24uIFRoZSBtYWluIA0KZHJpdmVyIGJlaGluZCBzdGF0aWMgSURzIHdh cyB0aGF0IHdoZW4geW91IGFyZSBtYWludGFpbmluZyBtdWx0aXBsZSANCnN5c3RlbXMsIHRo YXQgaWYgSURzIGFyZSBpZGVudGljYWwsIGl0IHdpbGwgbWFrZSBsaWZlIGEgbGl0dGxlIGJp dCANCmVhc2llciBiZWNhdXNlIHlvdSBjb3VsZCBjb3B5IGZpbGVzIGZyb20gc2VydmljZSBB IG9uIHN5c3RlbSAxIHRvIA0Kc2VydmljZSBBIG9uIHN5c3RlbSAyIHdpdGhvdXQgdGhlIG5l ZWQgb2YgYWRqdXN0aW5nIHBlcm1pc3Npb24gDQphZnRlcndhcmRzLiBCdXQgaXMgdGhpcyBy ZWFsbHkgYSBwcm9ibGVtPyBGcm9tIG15IFBPViBpdCBpc24ndDoNCg0KMSkgSWYgdGhpcyBy ZWFsbHkgd2FzIGJvdGhlcmluZyB5b3UsIHlvdSBhbHJlYWR5IGhhZCBhIHNvbHV0aW9uIGlu IA0KcGxhY2UuIEtlZXAgaW4gbWluZDogTW9zdCBzZXR1cHMgZG9uJ3QganVzdCBjb25zaXN0 IG9mIA0KR2VudG9vL0RlYmlhbi9SSEVMLW9ubHkuLi4geW91IHVzdWFsbHkgaGF2ZSBhIG1p eCBvZiBzZXR1cHMgc28geW91IG5lZWQgDQphIHNvbHV0aW9uIHdoaWNoIHdvcmtzIGV2ZXJ5 d2hlcmUgc28geW91IGRvbid0IG5lZWQgdGhhdCAnZmVhdHVyZScgDQpHZW50b28gb2ZmZXJl ZCAobm90IHRvIG1lbnRpb24gdGhhdCB5b3UgcHJvYmFibHkgaGF2ZSBzb21ldGhpbmcgbGlr ZSBBRCANCmluIHBsYWNlIHdoaWNoIHdpbGwgbWFrZSB0aGluZ3MgbGlrZSB0aGF0IHZlcnkg ZWFzeSkuDQoNCjIpIFBheSBhdHRlbnRpb24gdG8gdGhlIHdheSBob3cgeW91IGRvIHN0dWZm IHRvZGF5LiBZb3Ugd2lsbCBub3QgY3JlYXRlIA0Kc3lzdGVtcyBtYW51YWxseSBhbnltb3Jl IChhbmQgaWYgeW91IGRvLCB5b3Ugd291bGQganVzdCBjbG9uZSBzbyB0aGVyZSANCmlzbid0 IGV2ZW4gYSBuZWVkIGZvciB0aGlzKS4gWW91IHdpbGwgYXV0b21hdGUgdGhpcyBpbiBzY3Jp cHRzIGFuZCB1c2UgDQp0b29scyBsaWtlIEFuc2libGUsIFNhbHQsIENoZWYsIFB1cHBldC4u Li4gYW5kIG9mIGNvdXJzZSwgRG9ja2VycyAod2hpY2ggDQppcyBiYXNpY2FsbHkgYSBzY3Jp cHQpIGFuZCBsaWtlIG1lbnRpb25lZCwgQUQuDQoNCiBGcm9tIG15IFBPViBJIGNhbm5vdCBp bWFnaW5lIGEgc2luZ2xlIHJlYXNvbiB3aHkgd2Ugc2hvdWxkIHN0aWNrIHRvIA0KdGhpcyBp ZGVhIGFuZCBpbnZlc3QgbW9yZSB0aW1lIGludG8gaXQgd2l0aCB0aGUgcmlzayBvZiBtYWtp bmcgR2VudG9vIA0KbW9yZSB1bmlxdWUgY2F1c2luZyBtb3JlIF9zZXZlcmVfIHByb2JsZW1z IGluIGZ1dHVyZS4NCg0KQW55b25lIHdobyB3YW50cyB0byBrZWVwIHRoaXMgYXJvdW5kIGFu ZCB3YW50cyB0byBleHRlbmQgVUlEIHJhbmdlcyANCmluc3RlYWQgc2hvdWxkIGFuc3dlciB0 aGUgZm9sbG93aW5nIHF1ZXN0aW9uczoNCg0KMSkgSG93IGFyZSB5b3UgZ29pbmcgdG8gc29s dmUgdGhlIG1lbnRpb25lZCBwcm9ibGVtcz8NCg0KMikgV2h5IGRvIHlvdSBiZWxpZXZlIHRo aXMgZmVhdHVyZSBpcyB3b3J0aCBhbGwgdGhlIHRyb3VibGU/DQoNCjMpIEF0IHRoZSBtb21l bnQgd2UgY2FuIHN0b3AuIEJ1dCBvbmNlIHdlIHN0YXJ0IGFsdGVyaW5nIHN5c3RlbXMgdG8g bWFyayANCmFkZGl0aW9uYWwgcmFuZ2VzIGZvciBzeXN0ZW0gdXNlcnMgdGhlcmUgaXMgX25v XyBlYXN5IHdheSBiYWNrIGFueW1vcmUuIA0KQW55IGJsb3cgdXAgd2lsbCBwcm9iYWJseSBy ZXF1aXJlIHVzZXIgdG8gcmVpbnN0YWxsIHRoZWlyIGVudGlyZSBzeXN0ZW0uLi4NCg0KDQot LSANClJlZ2FyZHMsDQpUaG9tYXMgRGV1dHNjaG1hbm4gLyBHZW50b28gTGludXggRGV2ZWxv cGVyDQpmcHI6IEM0REQgNjk1RiBBNzEzIDhGMjQgMkFBMSA1NjM4IDU4NDkgN0VFNSAxRDVE IDc0QTUNCg==

--------------733cgmi0x3FrkJTYa50yYS1M--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEExKRzo+LDXJgXHuURObr3Jv2BVkFAmGRbnkFAwAAAAAACgkQRObr3Jv2BVlx SAgAuC/+0XWs8G1PqA1uwgpLQwWtkOqmeurD3JVhsmTUOeUrZ3STN4/FReTfDGSnAEwZq67ejXeG 2DkMVF0hx7SnZKMg8i/ZURFwiPx5OMYPOK5AHZcnSs55FPbWuzh6ao8Z2o5Bp9+j4WKYCJ27W8bh LdSSEmZWDemAH3O8csIofHbmS2Bt8F8gGvg5XeH1/fLmTO1rh77vrVnOZxGflqjfdwx0SUmc8k13 Fwyp6A4sWMvH3iWyRSDvzUPfnxHA9hOfXQ0yeOaCQbRW2YtCf2lImkXr69o3acOkjjmUbCSgFKcM xIp8h/B3zkZx4XIN6Rt+keoOyKp0G8UpgcpKz2iDAQ==
=DPJO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 11 Nov 2021, Ulrich Mueller wrote:

In any case, we have run out of GIDs:

Recommended GID only: none
Recommended UID only: 272
Recommended UID+GID pair: none
Free UIDs: 15
Free GIDs: 0
Free UID+GID pairs: 0

The question is of course how we should move forward. Certainly, using
IDs below 100 cannot be the solution, as we would run out of these very
soon.

We could:

- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

- Open part of the range 60001..65533. Not sure if all software will be
happy with that.

- Admit that the concept of static allocation has failed, and return to
dynamic allocation.

By today's council decision, the whole range from 101 to 749 is now
available. The used_free_uidgids.sh script has been updated accordingly.

There seem to be some issues with system IDs above 60000 especially with systemd. We'll try to sort these out before we run out of IDs again.

Ulrich

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGRbjcPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uKxAH/j/9Z/yICcxjr1zpNJ29T6GUcBqKZ9NsNn4H 23K3CHmM2sby2Xhlq2fOkUs1caZ5leDHbKbdmGow56OlQITEpqpQzDkmljsTqlu7 +prroRd3UTmBALuTDZxgx2GK18ZuORzkn+KV8HLELHVNDeDJul90kuCGnN5I08hJ LCsS8O2ZNg7KNmKLiCX2kAGvjflzIinPviafwSvl7GX9MmY7450kFZkJq3rR5vz/ BD3M9DCAyi902LV6OJF/lWBti/ouHWdFyxBu3XWF9dOq2CJdqwi0/YFjdIE20gkb 0YTCCb0it7IKhSzIZEHdBzueA+7tDENsWKklr4maWLe2av2Sk6A=
=xWIR
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 14 Nov 2021, Thomas Deutschmann wrote:

On 2021-11-11 11:59, Ulrich Mueller wrote:

We could:
- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.
- Open part of the range 60001..65533. Not sure if all software will
be happy with that.
- Admit that the concept of static allocation has failed, and return
to dynamic allocation.

Only the third option is really possible.

The first option (500-1000) would be technically possible but would
clash with knowledge people gained in the past and would violate LPIC (=making Gentoo even more special and unusable for companies relying
on certifications).

Why would that be? We chose the original split point quite arbitrarily
to be 500. What is different about adjusting it upwards now?

Ulrich

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGRnZ0PHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4u3BEH/jAzdTspIuJPNBd5t1XRNjSyVZ5nUEtyfXZh sz/wNzyay0VV6YOKLLMBdXpYgC/VgXAOhKCr/qAyWD1fZ7SoieWPYCwKrpC3bw4P LmUyO2L7/yoguycQDaO3NhruJQedeyCJowhpQqNkr5QZKYRgSRrCfqu75VScSvY6 N2WQ0RGniSjbK6OVMutRiZUBFx590JgdVckvUBSoBNpeeOkKtK0ePfQJidwBhW8w X1HsglSNUgD0i6eLj5i3k15liXMT1lyTN07OqkVojZL0d4DmfgJGiuNeS7zmSo2V ATQH2mFzMK1OMPSKYps8ElTpGp9vCFni2tIDMuVWRCD1YJbI4hs=5O1d
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 14, 2021 at 09:15:36PM +0100, Thomas Deutschmann wrote:

On 2021-11-11 11:59, Ulrich Mueller wrote:

We could:

- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

- Open part of the range 60001..65533. Not sure if all software will be
happy with that.

- Admit that the concept of static allocation has failed, and return to
dynamic allocation.

Only the third option is really possible.

FWIW, I agree with this sentiment.

1/ Static allocation does not really solve a problem. Not really not
nowadays
2/ We cant keep adding new IDs to a distribution as new software gets
added - one side is unbounded. This is losing game.

Switching back to dynamic allocation seems to be the best option.

--
Eray

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Nov 15, 2021 at 09:36:32AM +0300, Eray Aslan wrote:

On Sun, Nov 14, 2021 at 09:15:36PM +0100, Thomas Deutschmann wrote:

On 2021-11-11 11:59, Ulrich Mueller wrote:

We could:

- Open some part of the range between 500 and 1000. For example,
500..799, which would leave 200 IDs for dynamic allocation.

- Open part of the range 60001..65533. Not sure if all software will be
happy with that.

- Admit that the concept of static allocation has failed, and return to
dynamic allocation.

Only the third option is really possible.

FWIW, I agree with this sentiment.

1/ Static allocation does not really solve a problem. Not really not
nowadays
2/ We cant keep adding new IDs to a distribution as new software gets
added - one side is unbounded. This is losing game.

Switching back to dynamic allocation seems to be the best option.

--
Eray

I realize I'm very late to this party, but +1 from me also.

We should use dynamic uid/git assignment by default and maybe provide a
way to force certain uids/gids to be constant if users want this.

William

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQTVeuxEZo4uUHOkQAluVBb0MMRlOAUCYaMB8gAKCRBuVBb0MMRl OH3pAKCg97NctIywbEiM0vyqvs/U/NzZLQCfWXfkW9+eyn7Hh2frFX0s7cLJmIY=
=1s+h
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 28 Nov 2021, William Hubbs wrote:

On Mon, Nov 15, 2021 at 09:36:32AM +0300, Eray Aslan wrote:

1/ Static allocation does not really solve a problem. Not really not
nowadays
2/ We cant keep adding new IDs to a distribution as new software gets
added - one side is unbounded. This is losing game.

Not sure. In practice, the number of packages is limited. (And if the
argument was valid, it would apply to dynamic alloction too.)

Switching back to dynamic allocation seems to be the best option.

I realize I'm very late to this party, but +1 from me also.

We should use dynamic uid/git assignment by default and maybe provide
a way to force certain uids/gids to be constant if users want this.

While the rationale for static allocation that made it into GLEP 81 [1]
is rather weak, several people had argued in favour of it on the mailing
list [2].

In any case, let's cross that bridge when we reach it. For now, we're
good with 250 additional IDs.

Ulrich

[1] https://www.gentoo.org/glep/glep-0081.html#rationale
[2] https://archives.gentoo.org/gentoo-dev/message/33903763d46d193a25e4c03c4851bfc3

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmGjVKwPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uvyoH/3+eXpwczs3u/4lLYLV+TFIet8Cv75n0kmQT g0tKGjNoYpnTQVIj+FqrinTJqJ7ulg39sYnZ1XLD/xiivBm2hpJmxM/acXCGlLPZ SnAofNRL3gjkJ11nis3oQ5ZefSJRgLXYE3mwsUfilY6W4VtFGizLDNeJBZWkKQQF /YbeWzIM9j2cTbKGUuQ9+NmTxVMrn7hKWcCXWLa7Udoh7/2Bj8P0MrOoosb3ZeY/ O5kokivZXbOmLQr+R5txkHPYfmMNpaNRcaVKNNxFQR69b55DynLVZ8dGPFDkrVDD dV30NGv4174MP+2MiqYHDQNn7E0Sz9F2GnBNtQI3lrs4Y2QQFTw=
=3d1s
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 11:06:36AM +0100, Ulrich Mueller wrote:

On Sun, 28 Nov 2021, William Hubbs wrote:

On Mon, Nov 15, 2021 at 09:36:32AM +0300, Eray Aslan wrote:

1/ Static allocation does not really solve a problem. Not really not
nowadays
2/ We cant keep adding new IDs to a distribution as new software gets
added - one side is unbounded. This is losing game.

Not sure. In practice, the number of packages is limited. (And if the argument was valid, it would apply to dynamic alloction too.)

Switching back to dynamic allocation seems to be the best option.

I realize I'm very late to this party, but +1 from me also.

We should use dynamic uid/git assignment by default and maybe provide
a way to force certain uids/gids to be constant if users want this.

While the rationale for static allocation that made it into GLEP 81 [1]
is rather weak, several people had argued in favour of it on the mailing
list [2].

In any case, let's cross that bridge when we reach it. For now, we're
good with 250 additional IDs.

It is inevitable that we will reach this bridge again -- whether or not
it is in a month or a year, it will happen.

Why are we just kicking the can down the road instead of admitting that
static allocation wasn't a good idea and going back to dynamic
allocation? Let's find out what the people who argued for static
allocation think.

William

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQTVeuxEZo4uUHOkQAluVBb0MMRlOAUCYaPTQQAKCRBuVBb0MMRl OEoIAJ47K/wZ/nFbQf/U8Kzv4wEJtOBqigCfQxTejUA6ww4LKSm3Hpkki4QiGGw=
=EIOG
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2021-11-28 11:06:36, Ulrich Mueller wrote:

While the rationale for static allocation that made it into GLEP 81 [1]
is rather weak, several people had argued in favour of it on the mailing
list [2].

We don't even do static allocation. The UIDs and GIDs in the ebuilds
are suggestions, meant to benefit the people who will benefit from
them, and be ignored by everyone else.

There are a few exceptional cases where a user or group needs a
specific identifier; but those were always statically allocated and
nothing has changed in that regard.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 2021-11-28 at 13:06 -0600, William Hubbs wrote:

On Sun, Nov 28, 2021 at 11:06:36AM +0100, Ulrich Mueller wrote:

On Sun, 28 Nov 2021, William Hubbs wrote:

On Mon, Nov 15, 2021 at 09:36:32AM +0300, Eray Aslan wrote:

1/ Static allocation does not really solve a problem. Not really not nowadays
2/ We cant keep adding new IDs to a distribution as new software gets added - one side is unbounded. This is losing game.

Not sure. In practice, the number of packages is limited. (And if the argument was valid, it would apply to dynamic alloction too.)

Switching back to dynamic allocation seems to be the best option.

I realize I'm very late to this party, but +1 from me also.

We should use dynamic uid/git assignment by default and maybe provide
a way to force certain uids/gids to be constant if users want this.

While the rationale for static allocation that made it into GLEP 81 [1]
is rather weak, several people had argued in favour of it on the mailing list [2].

In any case, let's cross that bridge when we reach it. For now, we're
good with 250 additional IDs.

It is inevitable that we will reach this bridge again -- whether or not
it is in a month or a year, it will happen.

Why are we just kicking the can down the road instead of admitting that static allocation wasn't a good idea and going back to dynamic
allocation? Let's find out what the people who argued for static
allocation think.

Why are you assuming that something "wasn't a good idea" just because
you think so?

--
Best regards,
Michał Górny

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 3:26 PM William Hubbs <williamh@gentoo.org> wrote:

On Sun, Nov 28, 2021 at 02:57:39PM -0500, Michael Orlitzky wrote:

On 2021-11-28 11:06:36, Ulrich Mueller wrote:

While the rationale for static allocation that made it into GLEP 81 [1] is rather weak, several people had argued in favour of it on the mailing list [2].

We don't even do static allocation. The UIDs and GIDs in the ebuilds
are suggestions, meant to benefit the people who will benefit from
them, and be ignored by everyone else.

There are a few exceptional cases where a user or group needs a
specific identifier; but those were always statically allocated and
nothing has changed in that regard.

Doesn't the emerge fail if a different user with ACCT_USER_ID already exists on
the system (unless ACCT_USER_ID is set to -1, which is forbidden by qa policy)?

Not by default. If the eclass finds that ACCT_USER_ID is already
taken, it will allow useradd to assign a different one.

This behavior can be overridden by ebuilds (or a user) by setting ACCT_USER_ENFORCE_ID.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 02:57:39PM -0500, Michael Orlitzky wrote:

On 2021-11-28 11:06:36, Ulrich Mueller wrote:

While the rationale for static allocation that made it into GLEP 81 [1]
is rather weak, several people had argued in favour of it on the mailing list [2].

We don't even do static allocation. The UIDs and GIDs in the ebuilds
are suggestions, meant to benefit the people who will benefit from
them, and be ignored by everyone else.

There are a few exceptional cases where a user or group needs a
specific identifier; but those were always statically allocated and
nothing has changed in that regard.

Doesn't the emerge fail if a different user with ACCT_USER_ID already exists on the system (unless ACCT_USER_ID is set to -1, which is forbidden by qa policy)?

If that's the case I don't see how we aren't doing static allocation.

William


-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQTVeuxEZo4uUHOkQAluVBb0MMRlOAUCYaPmCQAKCRBuVBb0MMRl OCCiAJ9OIRGv5FMM6N4Uj7Y1cGQiuv3pBgCfU9erH5HIRNxVtsThOTl+sItA8C8=
=nWG0
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 2:27 PM William Hubbs <williamh@gentoo.org> wrote:

On Sun, Nov 28, 2021 at 02:57:39PM -0500, Michael Orlitzky wrote:

We don't even do static allocation.

There are a few exceptional cases where a user or group needs a

specific identifier; but those were always statically allocated and
nothing has changed in that regard.

Doesn't the emerge fail if a different user with ACCT_USER_ID already
exists on
the system (unless ACCT_USER_ID is set to -1, which is forbidden by qa policy)?

If that's the case I don't see how we aren't doing static allocation.

User PoV when I see a bunch of acct-* packages pop up in emerge @world
updates:

A bunch of of acct-* ebuilds make claims for specific uid/gid for
applications
that don't have a reason I can think of to be requiring a specific number,
and
would never be used in a way (e.g. NFS-shared /etc) where the numeric
value actually matters.

<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Nov 28, 2021 at 2:27 PM William Hubbs &lt;<a href="mailto:williamh@gentoo.org">williamh@gentoo.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sun, Nov 28, 2021 at 02:57:39PM -0500, Michael Orlitzky wrote:<br>&gt; We don&#39;t even do static allocation. </blockquote><blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">&gt; There are a few exceptional cases where a user or group needs a<br>
&gt; specific identifier; but those were always statically allocated and<br> &gt; nothing has changed in that regard.<br>

Doesn&#39;t the emerge fail if a different user with ACCT_USER_ID already exists on<br>
the system (unless ACCT_USER_ID is set to -1, which is forbidden by qa policy)?<br>

If that&#39;s the case I don&#39;t see how we aren&#39;t doing static allocation.<br></blockquote><div><br></div><div>User PoV when I see a bunch of acct-* packages pop up in emerge @world updates:</div><div><br></div><div><div>A bunch of of acct-*
ebuilds make claims for specific uid/gid for applications</div><div>that don&#39;t have a reason I can think of to be requiring a specific number, and</div><div>would never be used in a way (e.g. NFS-shared /etc) where the numeric</div><div>value
actually matters.</div></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 08:15:13PM +0100, Michał Górny wrote:

On Sun, 2021-11-28 at 13:06 -0600, William Hubbs wrote:

On Sun, Nov 28, 2021 at 11:06:36AM +0100, Ulrich Mueller wrote:

On Sun, 28 Nov 2021, William Hubbs wrote:

On Mon, Nov 15, 2021 at 09:36:32AM +0300, Eray Aslan wrote:

1/ Static allocation does not really solve a problem. Not really not nowadays
2/ We cant keep adding new IDs to a distribution as new software gets added - one side is unbounded. This is losing game.

Not sure. In practice, the number of packages is limited. (And if the argument was valid, it would apply to dynamic alloction too.)

Switching back to dynamic allocation seems to be the best option.

I realize I'm very late to this party, but +1 from me also.

We should use dynamic uid/git assignment by default and maybe provide
a way to force certain uids/gids to be constant if users want this.

While the rationale for static allocation that made it into GLEP 81 [1] is rather weak, several people had argued in favour of it on the mailing list [2].

In any case, let's cross that bridge when we reach it. For now, we're good with 250 additional IDs.

It is inevitable that we will reach this bridge again -- whether or not
it is in a month or a year, it will happen.

Why are we just kicking the can down the road instead of admitting that static allocation wasn't a good idea and going back to dynamic
allocation? Let's find out what the people who argued for static
allocation think.

Why are you assuming that something "wasn't a good idea" just because
you think so?

ulm and others on the thread also mentioned the possibility of going
back to dynamic allocation, so it isn't just me who brought it up.

I honestly am just looking for a discussion.

Do other distros statically allocate all of their system users? If not,
why do we by default? I understand why enterprise users might need to,
and they can with the glep 81 eclasses by setting uids/gids in
make.conf, but is there a reason we force the issue at the distro level
and ban -1 as the setting for ACCT_USER_ID and ACCT_GROUP_ID?

William


-----BEGIN PGP SIGNATURE-----

iFwEABECAB0WIQTVeuxEZo4uUHOkQAluVBb0MMRlOAUCYaPqmgAKCRBuVBb0MMRl OE0aAJwJUX/jRKOGLF14DzXFS1kOkcFKnQCY+JzHwFJ8fjqbg+dv4ybIS/oaVA==
=t76x
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 02:42:23PM -0600, Gordon Pettey wrote:

On Sun, Nov 28, 2021 at 2:27 PM William Hubbs <williamh@gentoo.org> wrote:

On Sun, Nov 28, 2021 at 02:57:39PM -0500, Michael Orlitzky wrote:

We don't even do static allocation.

There are a few exceptional cases where a user or group needs a

specific identifier; but those were always statically allocated and nothing has changed in that regard.

Doesn't the emerge fail if a different user with ACCT_USER_ID already exists on
the system (unless ACCT_USER_ID is set to -1, which is forbidden by qa policy)?

If that's the case I don't see how we aren't doing static allocation.

User PoV when I see a bunch of acct-* packages pop up in emerge @world updates:

A bunch of of acct-* ebuilds make claims for specific uid/gid for applications
that don't have a reason I can think of to be requiring a specific number, and
would never be used in a way (e.g. NFS-shared /etc) where the numeric
value actually matters.

That's because qa mandates that any acct-group/acct-user packages in the
tree must claim a uid/gid.

Ultimately, we will run out of uids/gids to claim.

William


-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQTVeuxEZo4uUHOkQAluVBb0MMRlOAUCYaPsGAAKCRBuVBb0MMRl OK5JAJsEqeOGy4WvCgWXEQhdzOrvACbKbQCgsNYiyQr7l7YYP0pMSHBtVscQW6M=
=3uiB
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 02:46:24PM -0600, William Hubbs wrote:

On Sun, Nov 28, 2021 at 08:15:13PM +0100, Michał Górny wrote:

On Sun, 2021-11-28 at 13:06 -0600, William Hubbs wrote:

On Sun, Nov 28, 2021 at 11:06:36AM +0100, Ulrich Mueller wrote:

On Sun, 28 Nov 2021, William Hubbs wrote:

On Mon, Nov 15, 2021 at 09:36:32AM +0300, Eray Aslan wrote:

1/ Static allocation does not really solve a problem. Not really not
nowadays
2/ We cant keep adding new IDs to a distribution as new software gets
added - one side is unbounded. This is losing game.

Not sure. In practice, the number of packages is limited. (And if the argument was valid, it would apply to dynamic alloction too.)

Switching back to dynamic allocation seems to be the best option.

I realize I'm very late to this party, but +1 from me also.

We should use dynamic uid/git assignment by default and maybe provide a way to force certain uids/gids to be constant if users want this.

While the rationale for static allocation that made it into GLEP 81 [1] is rather weak, several people had argued in favour of it on the mailing
list [2].

In any case, let's cross that bridge when we reach it. For now, we're good with 250 additional IDs.

It is inevitable that we will reach this bridge again -- whether or not it is in a month or a year, it will happen.

Why are we just kicking the can down the road instead of admitting that static allocation wasn't a good idea and going back to dynamic allocation? Let's find out what the people who argued for static allocation think.

Why are you assuming that something "wasn't a good idea" just because
you think so?

ulm and others on the thread also mentioned the possibility of going
back to dynamic allocation, so it isn't just me who brought it up.

I honestly am just looking for a discussion.

Do other distros statically allocate all of their system users? If not,
why do we by default? I understand why enterprise users might need to,
and they can with the glep 81 eclasses by setting uids/gids in
make.conf, but is there a reason we force the issue at the distro level
and ban -1 as the setting for ACCT_USER_ID and ACCT_GROUP_ID?

William

Ok, based on floppym's response, I'm going to start a new thread.

William


-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQTVeuxEZo4uUHOkQAluVBb0MMRlOAUCYaPtFgAKCRBuVBb0MMRl OBJOAJ4nkSTUT8+87ewjWcJzFsD9pJwXpgCbBBJUySDVoIpTqEkqtIg1Ie+psq8=
=6buA
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 28, 2021 at 11:06:36AM +0100, Ulrich Mueller wrote:

On Mon, Nov 15, 2021 at 09:36:32AM +0300, Eray Aslan wrote:

1/ Static allocation does not really solve a problem. Not really not
nowadays
2/ We cant keep adding new IDs to a distribution as new software gets
added - one side is unbounded. This is losing game.

Not sure. In practice, the number of packages is limited. (And if the argument was valid, it would apply to dynamic alloction too.)

In the static allocation option, the rate of increase is the rate of new ID-needing software ported to the tree minus - optimistically - the rate
of treecleaning similar software. Optimistic because I am not sure how
much, or at what point, do we want to re-use treecleaned IDs.

In the dynamic case, we dont care about the global status and are really
bound by the max number of sysem IDs installed in a single system.
Local maximum is rather stable and in any case is a lot smaller than
global maximum. Plus in this age of containers and namespaces, this
isnt really a problem even if it did grow over time, i.e. even if
unbounded, we have tools to manage it.

--
Eray

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)