[Pkg-shadow-devel] should src:adduser, src:shadow and src:base-passwd work together?

Tue Oct 29 17:18:15 GMT 2024

* Marc Haber <mh+pkg-shadow-devel at zugschlus.de> [241029 18:04]:
> On Tue, Oct 29, 2024 at 05:17:32PM +0100, Chris Hofstaedtler wrote:
> > > Since shadow, adduser and base-passwd are exposed security-wise as well, it
> > > would probably make sense to move the three source packages from the Debian
> > > project to its own Salsa project, probably best called shadow-team.
> > 
> > I can kinda see that, but I don't want to do this for util-linux,
> > and then I'm not seeing the extra value.
> 
> Util-linux is not part of this effort from my side.

Yes, but util-linux now ships su and login, and I think they would
be more "important" than whatever bins src:shadow now ships. So IMO
the case for src:shadow not being in debian/ does not exist.

> > In general for Debian I'd like to see more things move into the
> > debian/ namespace. If people introduce crap -because- of that, then
> > so be it. They can already (NM)U the packages anyway. I'd rather
> > take the extra drive-by help.
> 
> I can understand that for shadow and adduser, but is it wise to have
> base-passwd in the Debian namespace? An NMU will raise more concerns
> than a random commit.
> 
> Drive by help via merge requests works quite as well.

They work better when there is no repo forking involved though, etc.
Worst case, the git contents are kinda ephemeral (at least for
shadow).

Colin already answered for base-passwd.

> Are you (a) opposed or (b) indifferent to the three projects moving to
> their own salsa team?

I'm leaning towards a).

> > Teams on tracker.d.o are a bit meh at the moment, given tracker
> > still uses sso.d.o for managing them.
> > I have no clue how to reconcile the mailing list and the
> > <package>@packages.d.o alias however. Open to ideas.
> 
> Theoretically it should be possible for a mailing list admin to allow
> the sender that the tracker uses to post to the list and then subscribe
> the list to the tracker. I have seen other packages do this.
> 
> The tracker uses something like
> bounces+20241029-mh+2Bdebian+2Dtracker=zugschlus.de at tracker.debian.org
> as envelope sender, so /bounces+.*@tracker\.debian\.org/ should do it if
> the mailing list software allows regexes in that place. Who has the
> admin password for the mailing list?

Lets see; but I'm not very hopeful about the password.  Probably
have to ask the alioth-lists people to reset it.

Chris