On Fri, Sep 15, 2023 at 09:53:24PM +0100, Luca Boccassi wrote: > With the provision that I know next to nothing about pam - if I > understood correctly how it works, why not simply do both? Ship the > default file in the package under both /usr and /etc. Then, you get > the semantics you want with local changes tracking, and /etc wins over > the defaults. And we can have a working, bootable Debian container > with only /usr. As far as I've been told, pam is the only blocker > there - for a minimal image of course, but that's still quite a good > achievement. Wouldn't this work, or am I missing something?
While I have applications downstream which also care about empty /etc, the current situation is that this wouldn't help because almost all the PAM application configs in Debian reference one or more of common-{account,auth,password,session,session-noninteractive} which are constructed at package install time and therefore are inappropriate to ship in /usr. Shipping the same file in both /usr and /etc from application packages seems like it would be a reasonable workaround as far as it goes, but doesn't let us empty /etc/pam.d. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature