On Thu, Nov 13, 2008 at 03:13:52PM -0800, Matthew Jacob wrote: > James Carlson wrote: > >What we're asking here is how the delivered features themselves are > >properly integrated with the rest of the existing Solaris features, > >notably Least Privilege and RBAC. If the answer is that they're just > >not integrated because that's ETOOHARD (which is what I *think* you're > >asserting), then perhaps architectural review is itself too hard. > > > No, I'm not asserting ETOOHARD. I'm claiming that there needs to be a > balance between architecturally correct and end-user useful.
Sorry, what's the difference between "architecturally correct" and "end-user useful"? I don't see the difference. It seems that you're arguing that having sg3 on the system with zero integration is "end-user useful," and I agree, but having more than zero integration should be even more "end-user useful" for users that don't have the Primary Administrator profile. Now, on OpenSolaris systems the user that owns a particular system is likely to have the Primary Administrator profile, so for *them* any further integration of sg3 may well be pointless. > >I guess I don't know whether we care about that. I would suggest that > >Darren and Gary do, which is why they spoke up. It's not to slow down > >a project or make it "geologic," but to find out what makes it complete. > > > Yes. The "geologic" observation on my part is that so far is that some > issues have become so hard that to all intents and purposes change comes I don't see how looking at prof_attr(4) and deciding what profile each sg3 utility most naturally belongs to (or, if none seems appropriate, then creating new profiles as needed) is "so hard." It does depend on who's doing the integration. But hopefully submitters learn and it gets easier over time. > + Is it worth including at all? > + Is it worth including even incomplete wrt RBAC? > + Is it worth including if it takes a year to sort out RBAC and other > issues? You've gone from "geologic" to "a year," but you're still exagerating massively. Nico --
