FS#60364 - [gnupg] Should use a preset file instead of making symlinks in post_install

Attached to Project: Arch Linux
Opened by Luke Shumaker (lukeshu) - Tuesday, 09 October 2018, 23:33 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 26 July 2020, 19:07 GMT
Task Type General Gripe
Category Packages: Core
Status Closed
Assigned To Gaetan Bisson (vesath)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

Currently, gnupg ships a post_install script that creates the following symlinks:

/etc/systemd/user/sockets.target.wants/dirmngr.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket

However, systemd provides a "preset" mechanism for packages to indicate that a unit should be enabled "by default". This provides a uniform and documented (systemd.preset(5)) way for administrators/users to override those defaults.

So, I believe that gnupg should remove it's install= script, and instead include a /usr/lib/systemd/user-preset/90-gnupg.preset file containing:

<code>
enable dirmngr.socket
enable gpg-agent.socket
enable gpg-agent-browser.socket
enable gpg-agent-extra.socket
enable gpg-agent-ssh.socket
</code>

Additional info:
* package version(s): core/gnupg 2.2.10-1
This task depends upon

Closed by  Gaetan Bisson (vesath)
Sunday, 26 July 2020, 19:07 GMT
Reason for closing:  Won't implement
Additional comments about closing:  No consensus that this is a good idea.
Comment by Luke Shumaker (lukeshu) - Wednesday, 10 October 2018, 00:43 GMT
Eli Schwartz pointed out on IRC that there's no ALPM hook for presets, which surprised me. I'd just assumed there was. So, it's not possible to entirely remove the install= script.

Ideally, we'd have the post_install evaluate just the single 90-gnupg.preset file, but AFAICT, there's no way to have `systemctl preset` run a specific .preset file. Instead `systemctl preset UNITS...` works like `systemctl enable UNITS...` or `systemctl disable UNITS...`, except that whether the unit is disabled or enabled is configured by all avaible .preset files.

Eli also pointed out that simply always running `systemctl preset` would force users to configure disabling it in /etc/systemd/user-preset/, rather than simply removing the symlinks; and that users who had removed the symlinks manually would have them re-enabled by upgrades. That is to say: It's not appropriate to run `systemctl preset` except for the cases where it the install script currently calls `_global_units enable`.

Attached is what I believe the install script "should" look like. The only change is in the definition of _global_units(), which now calls `systemctl --global preset` instead of creating the symlinks manually (during post_install and post_upgrade), and `systemctl --global disable` instead of removing them manually (during post_remove). This change would enable users/sysadmins to inhibit the creation of the socket files by configuring /etc/systemd/user-preset/90-gnupg.preset, rather than having the install create them, and then having to manually remove them after running pacman. Just inhibit creation to begin with.

Finally, perhaps I should mention that the reason this came to my attention is that the current post_install script means that on Parabola OpenRC systems, /etc/systemd/ is created even though systemd isn't installed, which results in confused users. This is not even a real bug in Parabola, and is in no way a problem in Arch. Like the "Task Type" field says, this is a general gripe, not a bug.
Comment by Doug Newgard (Scimmia) - Sunday, 21 October 2018, 13:55 GMT
I still say packaging symlinks in /usr/lib/systemd/user/sockets.target.wants/ would be the way to go instead of the manual enable or a preset file.
Comment by Jan Alexander Steffens (heftig) - Monday, 22 October 2018, 07:25 GMT
This is probably a good idea but we have never used the preset system before. We can probably avoid having to install a preset file for each package shipping user units if we can simply define all user-level sockets to be enabled by default (because that's the policy I've been packaging with so far).

However, GnuPG is special as it's installed so early we can't use systemctl; see:
https://git.archlinux.org/svntogit/packages.git/commit/trunk/install?h=packages/gnupg&id=e74fd399d34afd5694471a048a4fff1db774f5cd
Comment by Jan Alexander Steffens (heftig) - Monday, 22 October 2018, 07:27 GMT
@Scimmia
Shipping symlinks like that is what I did for pulseaudio at first, but it resulted in angry users that couldn't use "disable" and had to use "mask".
Comment by Doug Newgard (Scimmia) - Monday, 22 October 2018, 16:24 GMT
Having to use mask vs disable is more of an education problem than it is a technical problem. Packages shipping files in /usr is the more correct way from a packaging standpoint, doesn't have the hacky feel that the current method does, and doesn't have any technical downsides.

There are things I don't like about using preset. Defaulting to enabling all units makes me cautious about it; interfering with the site-specific configuration in /etc makes me not like it. Configuration in /etc should be left up to the admin in my opinion, the package should only be dealing with /usr.
Comment by Luke Shumaker (lukeshu) - Tuesday, 23 October 2018, 18:53 GMT
@Scimmia
Do note that /usr/lib/systemd/system-preset/99-default.preset says "disable *", meaning that unless another .preset file says otherwise, all system units are disabled by default. Your concern "Defaulting to enabling all units makes me cautious about it;" can be addressed by adding a similar file to /usr/lib/systemd/user-preset/.

As far as shipping symlinks in /usr/lib/systemd/*/*.wants/, telling users to run "mask" instead of "disable" isn't quite right either. What the user wants to accomplish is preventing the unit from being started automatically, but what "mask" accomplishes is preventing the unit from being started at all--even by the user manually running `systemctl start`. That said, several packages already do ship symlinks in /usr/lib/systemd/*/*.wants/: fwupd, packagekit, dbus, device-mapper, logrotate, lvm2, man-db, mkinitcpio, mlocate, shadow, alsa-utils, hylafax, and systemd itself (though systemd also makes an exception to that and `systemctl enable`s getty@tty1.service and remote-fs.target from post_install).
Comment by Jan Alexander Steffens (heftig) - Tuesday, 23 October 2018, 21:42 GMT
To be clear, the preset file I would suggest would have:

enable xdg-user-dirs-update.service
enable *.socket
disable *
Comment by Luke Shumaker (lukeshu) - Tuesday, 23 October 2018, 23:07 GMT
@heftig
IMO, "enable xdg-user-dirs-update.service" should go in a separate preset file provided by xdg-user-dirs, not in a base preset file provided by filesystem or systemd.

Loading...