From: Arun Isaac <arunisaac@systemreboot.net>
To: Fabio Natali <me@fabionatali.com>, Bruno Victal <mirai@makinata.eu>
Cc: 72398@debbugs.gnu.org
Subject: [bug#72398] [PATCH v2] services: Add readymedia-service-type.
Date: Fri, 23 Aug 2024 00:28:09 +0100 [thread overview]
Message-ID: <87r0agp27q.fsf@systemreboot.net> (raw)
In-Reply-To: <878qwoj25q.fsf@fabionatali.com>
>>> +(define %readymedia-user-account "readymedia")
>>> +(define %readymedia-user-group "readymedia")
>>
>> I think it would be better to expose this in the
>> readymedia-configuration record-type and have it be oriented around
>> user-account and user-group record-types, i.e.
>
> Fixed, although I'm not sure I'm 100% on board with this.
>
> I'm not completely sure but I have the feeling that a configurable
> ReadyMedia user might theoretically weaken the POLA, e.g. if the user
> chose their own user for this service.
>
> Following up on a related conversation we started on IRC, I suppose we
> should either go all in with flexibility (i.e. allow the user to switch
> off the least-authority-wrapper and set the service user) or adopt a
> slightly more rigid approach (mandated POLA and fixed user).
>
> I think I might have a slight preference for the latter, prioritising
> compartmentalisation over flexibility - but I'm keen to know what you,
> Arun, and all other Guixers may think about this.
I am with Fabio on this. Many (almost all, maybe?) services use a fixed
user account that cannot be configured. And, that's ok.
I don't think we should make the least authority wrapper optional
either. Making it optional would be too much complexity for little
benefit. The goal of Guix services isn't to provide total
configurability, but rather to be slightly opinionated so as to nudge
users in the right direction.
Let me know if I'm missing something important.
Cheers!
next prev parent reply other threads:[~2024-08-22 23:29 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-31 10:27 [bug#72398] [PATCH] services: Add readymedia-service-type Fabio Natali via Guix-patches via
2024-08-12 23:19 ` Arun Isaac
2024-08-19 0:27 ` Fabio Natali via Guix-patches via
2024-08-20 2:14 ` [bug#72398] [PATCH v2] " Bruno Victal
2024-08-22 10:13 ` Fabio Natali via Guix-patches via
2024-08-22 23:28 ` Arun Isaac [this message]
2024-08-23 11:04 ` [bug#72398] [PATCH v4] " Fabio Natali via Guix-patches via
2024-08-23 15:35 ` Bruno Victal
2024-08-26 10:11 ` [bug#72398] [PATCH v5] " Fabio Natali via Guix-patches via
2024-09-06 22:17 ` Ludovic Courtès
2024-09-08 20:04 ` [bug#72398] [PATCH v6] " Fabio Natali via Guix-patches via
2024-08-23 15:25 ` [bug#72398] [PATCH v2] " Bruno Victal
2024-08-28 22:51 ` Arun Isaac
2024-08-29 14:37 ` Fabio Natali via Guix-patches via
2024-08-22 23:22 ` Arun Isaac
2024-08-22 10:17 ` [bug#72398] [PATCH v3] " Fabio Natali via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0agp27q.fsf@systemreboot.net \
--to=arunisaac@systemreboot.net \
--cc=72398@debbugs.gnu.org \
--cc=me@fabionatali.com \
--cc=mirai@makinata.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).