On Fri, Sep 15, 2023 at 09:53:24PM +0100, Luca Boccassi wrote: > With the provision that I know next to nothing about pam - if I > understood correctly how it works, why not simply do both? Ship the > default file in the package under both /usr and /etc. Then, you get > the semantics you want with local changes tracking, and /etc wins over > the defaults. And we can have a working, bootable Debian container > with only /usr. As far as I've been told, pam is the only blocker > there - for a minimal image of course, but that's still quite a good > achievement. Wouldn't this work, or am I missing something?
While I have applications downstream which also care about empty /etc, the
current situation is that this wouldn't help because almost all the
PAM application configs in Debian reference one or more of
common-{account,auth,password,session,session-noninteractive} which are
constructed at package install time and therefore are inappropriate to ship
in /usr.
Shipping the same file in both /usr and /etc from application packages seems
like it would be a reasonable workaround as far as it goes, but doesn't let
us empty /etc/pam.d.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
