Hello.

A lot of packages do default configuration in /etc/project.conf and
admin related stuff in /etc/project.d/whatsoever.conf to separate the distribution part from local overrides.

Every now and then it might be useful to switch changes on and off. The
Debian apache2 package uses sites-available/ and sites-enabled/ folders.
This is convenient.

I use this idea as a blueprint for administration. I put local
configuration stuff into /etc/project.available/ folders and symlinks
into /etc/project.d/ folders. This allows to toggle on/off mode easily
and is a coherent scheme (besides the little deviation in apache2).

Is it reasonable to use this idea as "best practice" and implement it
into Debian style administration recommendations? It works very well
e.g. for repository usage /etc/apt/sources.list.available/ where an
admin can look what is possible even if not part of the live system
yet. This would allow to ship a bunch of suggestions without enabling
them by default and without the need to edit the project.conf file.

Please share your thoughts with the community.
Was anything like this discussed previously?
--
kind regards
Frank

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE86z15c6qwvuAkhy+zDIN/uu9BloFAmdjyHsACgkQzDIN/uu9 BlqXzgv8DUxgWuHk00pEl+jVoqVzH/v4MSp3JWB3zWDEZuKXfMZcsb9MgrrUBlcE 1g1XjqExwnZAZj3KPfZvMVp2km7eWr29NMdcRKR9g+ZfZXaJoPGYHOCvrtajYZQ0 6xsTwOLKCjNHpmrqvCGPoNYJOK1jdKqkaa7G+LgI3N9I+Y+fpXNjiRL+5wYNG8Ib qqf6aqvROVCJrUnut9o2O0JUr9iuXSjaY96d4xV0eVa9eHgSxTAy4PQOc7CG5eVU R0OI4Tzp2PNggy1G2v6CNGPYw6XgxeTvw/qKzA0Myx37MMycNqVN7SS+H4S30cQ7 mysJ11Czl6NQkbrk+XD909y7LjwsE8rsrTd6LwY2DXWEfQ6UPFTtbDUspYehtbOL 8NcZpNPxNvFUehCKAPw56KNschS9ynqqrizg5qXoYV2OyGLSgA9V2fRb3Z+pk3gk 3vLWc+dY/qRPY1hVWarLN77KGssYMXb2GxDbdHp5uhPbYvE5pD2uJApYigt9Zq9S
c+PFT106
=PD2Y
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Dec 19, Frank Guthausen <fg.debian@shimps.de> wrote:

Is it reasonable to use this idea as "best practice" and implement it
into Debian style administration recommendations? It works very well

No: the expected default for systemd-managed services is to use
/etc/$SERVICE/ .

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCZ2PSxQAKCRDLPsM64d7X ga9TAP9XuTIF02xqn14k6G1URpy+GGJOjKFCoyr9ehWux+tQDgD/d2QTLEmstvYO VqZD7nX8QlgmdKGylnrAfohqf5IINwM=
=UXTJ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 12/19/24 16:17, Frank Guthausen wrote:

A lot of packages do default configuration in /etc/project.conf and
admin related stuff in /etc/project.d/whatsoever.conf to separate the distribution part from local overrides.

It depends on the package.

Some packages have a "registry-style" configuration, where instances of
the service are configured in separate files -- but files are provided
by the admin. That is what the webservers do, because a single binary is responsible for hosting multiple largely independent virtual hosts.

Other packages provide an actual registry, like systemd or dbus, so they
need a mechanism to collect configuration files provided by other
packages from a directory.

For many packages, either of these is overkill, and the deviation from
upstream causes more work than it saves.

The conffile mechanism in dpkg acts like other version control systems
here and will ask the user to resolve if two branches (new defaults and
local configuration) of a file both have changes, but will assume that
two different files are semantically independent. If they aren't, then
an automatic merge that succeeds causes additional work down the line.

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Gioele Barabucci, le jeu. 19 déc. 2024 10:15:47 +0100, a ecrit:

* Admin can override the standard configuration via /etc/$proj/foo.conf

[...]

Upstream projects are moving to this style. I hope that one day Debian packages will stop shipping files under /etc.

Having pre-filled configuration files ready for editting in /etc
(possibly containing only commented lines) is extremely useful for
admins.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Gioele Barabucci, le jeu. 19 déc. 2024 10:22:02 +0100, a ecrit:

On 19/12/24 10:19, Samuel Thibault wrote:

Gioele Barabucci, le jeu. 19 déc. 2024 10:15:47 +0100, a ecrit:

* Admin can override the standard configuration via /etc/$proj/foo.conf

[...]

Upstream projects are moving to this style. I hope that one day Debian packages will stop shipping files under /etc.

Having pre-filled configuration files ready for editting in /etc
(possibly containing only commented lines) is extremely useful for
admins.

$ cp /usr/lib/$proj/foo.conf /etc/$proj/

Which is not trivial, really.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Dec 2024 09:01:09 +0100
Marco d'Itri <md@Linux.IT> wrote:

No: the expected default for systemd-managed services is to use /etc/$SERVICE/ .

Debian GNU/Systemd is only an unofficial
subdistribution of Debian GNU/Linux. YMMV
--
kind regards
Frank

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE86z15c6qwvuAkhy+zDIN/uu9BloFAmdj4tYACgkQzDIN/uu9 BlroUwv+Iz459mBY56qYvJLkSXL3rSZlb0Ip7GdZbIR8NIVNCdt3cVOx5rUnQXcR /9GFFBscgyC9r0j1szaCHhnGdWjHCs5DFGVS+dVH1yBMv0rUFgEicsdBAid+aXhb STbbTdezq2MlqqXFXsFKAQj82BC4Iypx/aVWBggZbet6HmzfjYqvWa0D3peaZ6qr PCwR2XoeJcqxN3p3gQtVmW1/riIR1PSdseL6oAF9l3JvIAGSQ6ti6XEaXla4ming 3h7JudiSpNu8EMaaKYzU5TgJro2ro9M+1cCXw4t+Rh/4PgrTa8zuWDlT1awPQrSA ebQPqSGt/XzxCp1qPPFx/2HAWvTB49sYz6TfHU43UWPvpUoq+hVBswMTusyU5MZ9 iSit7KqcA4D3mXT+bpnNUztyT/LfpoBV8mrm9Qc4C8CmeYyiCf1CyZLEodNe9lwo EmzqKsfVGjfI9/1+vxrIQLQ4AgBSc4hVcPc9aNXW+yPbiXg5frky2rd8AJzZ+281
v19QUe3W
=9qq9
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/12/24 08:17, Frank Guthausen wrote:

A lot of packages do default configuration in /etc/project.conf and
admin related stuff in /etc/project.d/whatsoever.conf to separate the distribution part from local overrides.

Hi,

this is what can be called "old style" overrides.

The modern way of doing it is the "stateless" style, most commonly
associated with systemd but used by plenty of other projects, plus
"drop-in" .d directories.

The basic documentation can be found at <https://uapi-group.org/specifications/specs/configuration_files_specification/>.
libeconf provides an implementation of the spec and its details.

Simply speaking the stateless style works like this:

* Distro/upstream configuration in /usr/lib/$proj/foo.conf (read-only)
* Admin can override the standard configuration via /etc/$proj/foo.conf
* Runtime overrides can be placed in /run/$proj/foo.conf
* User can override admin's and upstream's config via $HOME/.config/$proj/foo.conf
* User's runtime overrides can be placed in $XDG_RUNTIME_DIR/$proj/foo.conf

In addition, snippets that add or override only part of the
configuration can be loaded from {/usr/lib,/etc,/run,$HOME/.config}/$proj/foo.conf.d/extra1.conf

Upstream projects are moving to this style. I hope that one day Debian
packages will stop shipping files under /etc.

Regards,

--
Gioele Barabucci

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Dec 2024 18:03:06 +0900
Simon Richter <sjr@debian.org> wrote:

On 12/19/24 16:17, Frank Guthausen wrote:

A lot of packages do default configuration in /etc/project.conf and
admin related stuff in /etc/project.d/whatsoever.conf to separate
the distribution part from local overrides.

It depends on the package.

Sure. The idea can be restricted to those
projects which already offer an project.d/
folder.

And it can be extended/modified to project.example/ folders.

From my point of view both would be a lot of help for admins.
This concept can be implemented in an indepent an parallel way
by introducing packages ``project-extra-config'', which might
be flagged as recommended or suggested. This reduces risk of
breaking things or established workflows.
--
kind regards
Frank

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE86z15c6qwvuAkhy+zDIN/uu9BloFAmdj5qAACgkQzDIN/uu9 BlqSDwv9EZAXvhFMtYDFB0+qByeMsikSBj9tqesqARAqx1o0aaV0RNHDEFLHmIhm 8pRp6c7DDmzjGurUyJEL43gtZfViEUHGMXIkXyN5Gb50SjcadJHUBbuqKgqB7aJK MS25rD7h1kny2R50IGrNeUnCvJfTBb0M4uSGGpb9zOyewOLxueRMP9Z3GFhdm7XN pS3sfeRAydvlDWTPbgOSrHCPUE0swko+sB27Z7L1H93yymhj0dDseKC+w0HBmICO vbDyUGJXj0HYmQ86r44guLCmE3E3WIv1F4SUWeJe+LC51EynW0GMPpCMntRTeS9z 1eEZuMI4wFVlC7xnfqZKWcC/wmq5r6964qadbqJV/tUdavkNxbmfArLraBdqVkmo FUL9ui3cNukPP3rzlDY2rm2L5FiW6DU4Z+F8BCZL5yxtuBQjoTeicXjoL+m+1+Nr vLPK00DfrVq7sQGy+BvsLRKabLaa/uIOesirrdTTsJrbIV2dahqmJ2qi4/rUZJbl
J3n+8CHa
=bgoO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/12/24 10:19, Samuel Thibault wrote:

Gioele Barabucci, le jeu. 19 déc. 2024 10:15:47 +0100, a ecrit:

* Admin can override the standard configuration via /etc/$proj/foo.conf

[...]

Upstream projects are moving to this style. I hope that one day Debian
packages will stop shipping files under /etc.

Having pre-filled configuration files ready for editting in /etc
(possibly containing only commented lines) is extremely useful for
admins.

$ cp /usr/lib/$proj/foo.conf /etc/$proj/

Default conf files can contain (and often already contain) comments.

Regards,

--
Gioele Barabucci

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Dec 2024 10:09:41 +0100, Frank Guthausen
<fg.debian@shimps.de> wrote:

Debian GNU/Systemd is only an unofficial
subdistribution of Debian GNU/Linux.

Bullshit.

--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Thu, 2024-12-19 at 10:09 +0100, Frank Guthausen wrote:

On Thu, 19 Dec 2024 09:01:09 +0100
Marco d'Itri <md@Linux.IT> wrote:

No: the expected default for systemd-managed services is to use /etc/$SERVICE/ .

Debian GNU/Systemd is only an unofficial
subdistribution of Debian GNU/Linux. YMMV

Please keep such messages to appropriate mailing lists such as the
Devuan list (aka "Debian is not GNOME first discussion list" as they
are somehow concerned about GNOME).

🐟🐠🦈,
Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Samuel Thibault, le jeu. 19 déc. 2024 10:26:12 +0100, a ecrit:

Gioele Barabucci, le jeu. 19 déc. 2024 10:22:02 +0100, a ecrit:

On 19/12/24 10:19, Samuel Thibault wrote:

Gioele Barabucci, le jeu. 19 déc. 2024 10:15:47 +0100, a ecrit:

* Admin can override the standard configuration via /etc/$proj/foo.conf

[...]

Upstream projects are moving to this style. I hope that one day Debian packages will stop shipping files under /etc.

Having pre-filled configuration files ready for editting in /etc (possibly containing only commented lines) is extremely useful for admins.

$ cp /usr/lib/$proj/foo.conf /etc/$proj/

Which is not trivial, really.

Put another way: would it really be /usr/lib/$proj, or rather (since
it's arch-independent) /usr/share/$proj, or rather (since that's
documentation) /usr/share/do/$proj. How an admin would know? That's just
hiding things, compared to the decades of habits.

Also, /etc would thus be full of empty /etc/$proj directories? I don't
see the point of not just putting the example files there? Why making it
more difficult for the admin to configure their server?

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Dec 2024 11:00:03 +0100
Ansgar 🙀 <ansgar@debian.org> wrote:

On Thu, 2024-12-19 at 10:09 +0100, Frank Guthausen wrote:

Debian GNU/Systemd is only an unofficial
subdistribution of Debian GNU/Linux. YMMV

Please keep such messages to appropriate mailing lists such as the
Devuan list

As long as Debian ships System-V-like init in the official
repository[1] I'm pretty sure I'm on the correct mailing list.

There is no need to assume that everything related to Debian is coupled
to systemd. It's the user's or admin's choice which init system is to
be used, regardless of Debian's decision what the default is. I can not conclude what Devuan has got to do with this. If you want to extend the
debate to a broader auditorium, think about Debian GNU/Hurd and Debian GNU/kFreeBSD in the first place.

If my suggestions do not apply to situations where systemd is used,
I'd suggest systemd advocates to stay quiet because the topic does
not concern them. TIA

[1] https://packages.debian.org/bookworm/sysvinit-core

--
kind regards
Frank

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE86z15c6qwvuAkhy+zDIN/uu9BloFAmdkBOEACgkQzDIN/uu9 BlrfKgwAnBDdzw4zY6IqbP/1QnKvKUUjPlzkIbVyWAq7PVE8GwusAybPQdJEUXti smFLwxJIr2WO3AEQAtjg4YZZBjFTjawS/B6+ZvDc5Vy27/czODVsWLCqY9+IUdU3 FR6IZK9diDaB0m1klo+i7HPIjgt198CWH3N3jKRBjZ3g3S0pq69481OTFYwFKdB8 HKGJWrZeKaOd55V2YDEzx9YX/HhrnWCMSvhifO4KtYV3BppjBPmdm7qBQ1iL+ASj QG2kxSpNAsQZk9U+IeQrw1utx01FH7TZB5pDywUXd8u4Y8ZMHd716LQXDYFdjFvZ jTTHVrHhYqsFUCaCzFOiHrshVV+WFUUpN6d4rOPe+bmhKMIHo39Jf+x6XrVVqIdZ 2U4GDrVb5Xj6OlHB6SxUvOvsovxmDPNkT/XjGVCAIzWPFJjUtbR+KwJwARZxOEjr RP+JtnNDZ3GYgQkwNvk143W5at94eE7WRs0gR2PyiINfG2vVLx56LsvGJJDAj8zO
NZLCMNvt
=/nUT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

this is what can be called "old style" overrides.

Things get to be "old" because they actually work well.

The modern way of doing it is the "stateless" style, most commonly associated with systemd but used by plenty of other projects, plus "drop-in" .d directories.

The basic documentation can be found at <https://uapi-group.org/specifications/specs/configuration_files_specification/>. libeconf provides an implementation of the spec and its details.

Simply speaking the stateless style works like this:

* Distro/upstream configuration in /usr/lib/$proj/foo.conf (read-only)
* Admin can override the standard configuration via /etc/$proj/foo.conf
* Runtime overrides can be placed in /run/$proj/foo.conf
* User can override admin's and upstream's config via $HOME/.config/$proj/foo.conf
* User's runtime overrides can be placed in $XDG_RUNTIME_DIR/$proj/foo.conf

In addition, snippets that add or override only part of the configuration can be loaded from {/usr/lib,/etc,/run,$HOME/.config}/$proj/foo.conf.d/extra1.conf

What group of idiots came up with a system where instead of having all of the configs in maximum of two places (/etc | ~/.config) have now spread them out across five completely separate directory trees?

I'm sorry but this is just SILLY. Spewing files all over the filesystem like this is exactly why things like /opt and /usr/local got created: to GROUP package-related files together.

<sigh> The pendulum swings, I suppose.

--J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Dec 2024 12:34:57 +0100, Frank Guthausen
<fg.debian@shimps.de> wrote:

If my suggestions do not apply to situations where systemd is used,
I'd suggest systemd advocates to stay quiet because the topic does
not concern them

That nicely helps me to put your suggestion in the correct
compartment, which is the bin.

--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

$ cp /usr/lib/$proj/foo.conf /etc/$proj/

Which is not trivial, really.

Well, it IS, but in the same way that "rm -rf /" is trivial. It's easy to do, but some non-trivial thought should occur before doing it.

Put another way: would it really be /usr/lib/$proj, or rather (since
it's arch-independent) /usr/share/$proj, or rather (since that's documentation) /usr/share/do/$proj. How an admin would know? That's just hiding things, compared to the decades of habits.

Also, /etc would thus be full of empty /etc/$proj directories? I don't
see the point of not just putting the example files there? Why making it
more difficult for the admin to configure their server?

This is how Splunk does it.

All project files are in $SPLUNK_HOME (hereafter $SH for brevity).

$SH/etc/system/default/thing.conf # defaults. strongly recommended not to edit.

$SH/etc/system/local/thing.conf # read next. admin overrides for defaults. does not have to exist.

$SH/etc/apps/$module/default/thing.conf # module-level "default overrides". system-level changes (if any) required for $module. do not edit

$SH/etc/apps/$module/local/thing.conf # module-level admin overrides for all of the above.


The part that's relevant to this conversation is that *everything* is under $SH/etc/ (and always *.conf). It makes it feasible to do things like:

find $SH/etc -type f -name thing.conf -exec grep -H 'setting' + \;

Good luck doing that with config files in 5+ places all over the filesystem.

--J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 2024-12-19 at 07:08 -0600, rhys wrote:

What group of idiots came up with a system where instead of having all of the configs in maximum of two places (/etc | ~/.config) have now spread them out across five completely separate directory trees?

The group is called "The Linux Userspace API (UAPI) Group", and according
to their home page, it consists of from people from Ubuntu Core, Debian,
GNOME OS, Fedora CoreOS, Endless OS, Arch Linux, SUSE, Flatcar, systemd, image-builder/osbuild, mkosi, tpm2-software, System Transparency,
buildstream, BTRFS, bootc, composefs, (rpm-)ostree, Microsoft, Amazon, and Meta.

You are free to disagree with this design, but please don't call the people behind it idiots. I am pretty sure there are plenty of very competent
people who have given this a lot of thought.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

What group of idiots came up with a system where instead of having all of the configs in maximum of two places (/etc | ~/.config) have now spread them out across five completely separate directory trees?

The group is called "The Linux Userspace API (UAPI) Group", and according
to their home page, it consists of from people from Ubuntu Core, Debian, GNOME OS, Fedora CoreOS, Endless OS, Arch Linux, SUSE, Flatcar, systemd, image-builder/osbuild, mkosi, tpm2-software, System Transparency, buildstream, BTRFS, bootc, composefs, (rpm-)ostree, Microsoft, Amazon, and Meta.

You are free to disagree with this design, but please don't call the people behind it idiots. I am pretty sure there are plenty of very competent
people who have given this a lot of thought.

I do tend to reserve my contempt to the few cases where it is appropriate.

But seriously, after 30+ years of working with various systems from NeXTStep to Windows to VAX, this all smacks of people who haven't learned anything from history and/or haven't spent enough time managing more than a few systems in one or two contexts.

"A lot of thought" in an echo chamber still has the same result, only worse. It reinforces itself without any real basis.

So now they're suggesting going down a road we've been down before. More than once.

Therefore, "idiots."

Sorry, but repeating history when nothing about the underlying situation has changed will never be smart.

--J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Thu, 2024-12-19 at 11:16 +0100, Samuel Thibault wrote:

Also, /etc would thus be full of empty /etc/$proj directories? I don't
see the point of not just putting the example files there? Why making it
more difficult for the admin to configure their server?

Examples belong to /usr/share/doc though?

And it is actively harmful as if one edits the example configuration to
have a useful configuration as dpkg will start annoying admins with
"the example configuration has changed; what do you want to do"
messages.

That was so annoying that Debian started having configuration files for configuring other configuration files, e.g., /etc/default/* to
configure /etc/init.d/*.

(Yes, I know that non-default configuration for dpkg can make it more
helpful.)

Removing packages also means that random stuff gets left over in /etc
which can break other software (and does!).

(Yes, I know that users are expected to purge packages and not only
remove them to prevent that, but many users do not.)

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Thu, 2024-12-19 at 12:34 +0100, Frank Guthausen wrote:

On Thu, 19 Dec 2024 11:00:03 +0100
Ansgar 🙀 <ansgar@debian.org> wrote:

On Thu, 2024-12-19 at 10:09 +0100, Frank Guthausen wrote:

Debian GNU/Systemd is only an unofficial
subdistribution of Debian GNU/Linux. YMMV 

Please keep such messages to appropriate mailing lists such as the
Devuan list

As long as Debian ships System-V-like init in the official
repository[1] I'm pretty sure I'm on the correct mailing list.

Thanks for providing another good reason to drop init scripts.

Ansgar
(hoping to eventually `dak rm sysvinit` to end this)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ansgar 🙀, le jeu. 19 déc. 2024 16:21:03 +0100, a ecrit:

On Thu, 2024-12-19 at 11:16 +0100, Samuel Thibault wrote:

Also, /etc would thus be full of empty /etc/$proj directories? I don't
see the point of not just putting the example files there? Why making it more difficult for the admin to configure their server?

Examples belong to /usr/share/doc though?

Which is where I would look as second place indeed, but not
/usr/lib/$package (at best /usr/share/$package)

And it is actively harmful as if one edits the example configuration to
have a useful configuration as dpkg will start annoying admins with
"the example configuration has changed; what do you want to do"
messages.

Yes, but the thing is: I *do* want to see that message, to make sure
what changed upstream and fix my manual configuration accordingly.

That was so annoying that Debian started having configuration files for configuring other configuration files, e.g., /etc/default/* to
configure /etc/init.d/*.

Or can be put in .d/ directories. But then if e.g. an option disappears,
things just break without getting any warning ahead.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Dec 19, 2024 at 04:58:06PM +0100, Samuel Thibault wrote:

And it is actively harmful as if one edits the example configuration to have a useful configuration as dpkg will start annoying admins with
"the example configuration has changed; what do you want to do"
messages.

Yes, but the thing is: I *do* want to see that message, to make sure
what changed upstream and fix my manual configuration accordingly.

In my (narrow) experience it's often the version number at the top and
typo and whitespace fixes.


--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmdkWk8tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh DyAP+wXuSHsPAWayoYPQ3IPyF/jBj/72VyA010545UM/C5/KXKcSOL3/9rQJjx2+ Tdc5HT1Fc0rUv8qXrQV8GOFPnFaw/zj9Iln3mkjkuw/X3H8JU2vjJ3R5qlsSYFzf m8CAtrD/+tiWvKmaloYDlAk7hNFimZ7Y2eU2MR2DL3Vai4M8w+CmjrpVKLx/J46c DGmuZNN6qC/mRqDXIwqgh0jAas7ry2ulo40dcmuhmi2sEfNvn6u1R9sxc4QVaWMt FQ4qIJH7/RybW+OCMCTtSi4TOnFLFENA2co7qJlVFPd3f2VwijMY9Uazt2hmEmtK fF5i1wUhed4N5rNtjMi61xUP61XFEUu1IqT09ZjRA3RwxBtjf/v5Em8lDWu+ULFF JQt7u88NVMFDT00SV2zek9jfKzK0DmjBDGYTJP5TTekbG7fYN5VsIU07QMfOOO9e lVy6fCVSxQ0ieG7rOettJ1ioEGQKAxkcZ0WHBzVEqhzUKjNBD2mbWdQHnUiEDtKO /PKYQgXz+GW3ZCprTfoRfCO8ympb2hUpp83eukQSPGVDxRdLwgma27OY2abI2fuk rr2/rrrHJGRm0amb0KqmIfL/sVOEUP3YsAYN+n75bsEQs2bW0MlLQT2z92SMMQ+O Gf5ZBBQgszgRf/DGX3zF4ljur/yc2yjqrkpbMciyJVQaw7Vs
=SVLM
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Samuel Thibault wrote:

Ansgar 🙀, le jeu. 19 déc. 2024 16:21:03 +0100, a ecrit:

And it is actively harmful as if one edits the example configuration to have a useful configuration as dpkg will start annoying admins with
"the example configuration has changed; what do you want to do"
messages.

Yes, but the thing is: I *do* want to see that message, to make sure
what changed upstream and fix my manual configuration accordingly.

There are (at least) two different models of handling configuration
here; people used to one model find the other to be awkward and cause
problems, and vice versa.

In the model where you augment the default system configuration by
adding files in /etc, you ideally don't *need* a complete copy of the configuration file. You add a file that has the single configuration
directive you want to change. If the upsteam configuration changes, you automatically get the new defaults for all the other options.

I've found that often, the diffs of a complete "sample" configuration
file with commented-out defaults don't have changes to the defaults,
they tend to have new options. That makes the diff much less useful, and
much less likely to lead me to make any changes to my own configuration.

However, I think there *is* a best-of-both-worlds option here.

Suppose that packages ship sample configuration files *that exactly
match their defaults* (which should in general mean that everything is commented out) in some standardized path under /usr/share/doc/$package/
(e.g. examples/etc), that makes it easy to see what path the example corresponds to in /etc.

Then, we could have a package (e.g. "etc-commented-defaults") with an on-installation trigger for that location, which automatically copies
over the defaults to /etc if they don't already exist, updates them if
they match the defaults, and (ideally) has a ucf-style mechanism for the
case where they've been changed. That package could also provide scripts
for easily seeing the diffs between your configuration and all the
defaults.

Users who *don't* want that behavior can remove that package, and users
who *do* want that behavior could install it.

That seems like an improvement over the current situation, in which
there's a mix of packages that ship commented-defaults (causing problems
for the people who want an empty /etc) and packages that don't (causing problems for the people who expect a sample file in /etc). It'd be a
step along the road towards having a uniform policy for handling
configuration files.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Josh Triplett, le jeu. 19 déc. 2024 19:05:56 -0800, a ecrit:

Samuel Thibault wrote:

Ansgar 🙀, le jeu. 19 déc. 2024 16:21:03 +0100, a ecrit:

And it is actively harmful as if one edits the example configuration to have a useful configuration as dpkg will start annoying admins with
"the example configuration has changed; what do you want to do"
messages.

Yes, but the thing is: I *do* want to see that message, to make sure
what changed upstream and fix my manual configuration accordingly.

There are (at least) two different models of handling configuration
here; people used to one model find the other to be awkward and cause problems, and vice versa.

In the model where you augment the default system configuration by
adding files in /etc, you ideally don't *need* a complete copy of the configuration file.

Yes, that's why having both the ready-to-be-modified model *and* a .d/ directory fits both cases.

Then, we could have a package (e.g. "etc-commented-defaults") with an on-installation trigger for that location, which automatically copies
over the defaults to /etc if they don't already exist, updates them if
they match the defaults, and (ideally) has a ucf-style mechanism for the
case where they've been changed.

But isn't it what we already have? If I don't modify the example in /etc
and only add files to .d/, I'm getting upgrades without questions.
And if I modify the example in /etc, I'm getting the question. That way
I can decide per-package whether to just augment or change the
default configuration.

That seems like an improvement over the current situation, in which
there's a mix of packages that ship commented-defaults (causing problems
for the people who want an empty /etc) and packages that don't (causing problems for the people who expect a sample file in /etc).

But the assumption is the same in both case: packages should provide
an example file in a standardized place. Be it in /etc or in some
/usr/share/ doesn't change the question of having people converging to
it. And having it ready for modification in /etc is way more convenient
than having it in some /usr/share and determining where it's supposed to
be put in /etc.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Henrik Ahlgren, le ven. 20 déc. 2024 11:32:37 +0200, a ecrit:

On Fri, 2024-12-20 at 09:55 +0100, Samuel Thibault wrote:

But isn't it what we already have? If I don't modify the example in /etc and only add files to .d/, I'm getting upgrades without questions.
And if I modify the example in /etc, I'm getting the question. That way
I can decide per-package whether to just augment or change the
default configuration.

For many packages that works well, but the devil is in the details.

It will be with any scheme that gets devised. So the simpler scheme will
be better.

For example, the most common configuration change for chrony is to use
a set of custom NTP servers, by dropping a configuration snippet under /etc/chrony/sources.d. But the example config /etc/chrony/chrony.conf
always adds the default pool "2.debian.pool.ntp.org" unless you
modify the configuration file and comment it out, since the "pool" configuration directive can be used multiple times.

And that will get troubles with other schemes too.

One thing that could be useful is to be able to tell dpkg "never ask me
again for replacing this config file with the shipped one", and you will
get what is being proposed. Per-package.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2024-12-20 at 09:55 +0100, Samuel Thibault wrote:

But isn't it what we already have? If I don't modify the example in /etc
and only add files to .d/, I'm getting upgrades without questions.
And if I modify the example in /etc, I'm getting the question. That way
I can decide per-package whether to just augment or change the
default configuration.

For many packages that works well, but the devil is in the details. For example, the most common configuration change for chrony is to use a
set of custom NTP servers, by dropping a configuration snippet under /etc/chrony/sources.d. But the example config /etc/chrony/chrony.conf
always adds the default pool "2.debian.pool.ntp.org" unless you modify
the configuration file and comment it out, since the "pool"
configuration directive can be used multiple times. I guess this
example does not strictly follow this pattern, since the pool setting
is the only non-default setting not commented in the file.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Josh Triplett <josh@joshtriplett.org> writes:

Suppose that packages ship sample configuration files *that exactly
match their defaults* (which should in general mean that everything is commented out) in some standardized path under /usr/share/doc/$package/
(e.g. examples/etc), that makes it easy to see what path the example corresponds to in /etc.

Then, we could have a package (e.g. "etc-commented-defaults") with an on-installation trigger for that location, which automatically copies
over the defaults to /etc if they don't already exist, updates them if
they match the defaults, and (ideally) has a ucf-style mechanism for the
case where they've been changed. That package could also provide scripts
for easily seeing the diffs between your configuration and all the
defaults.

Users who *don't* want that behavior can remove that package, and users
who *do* want that behavior could install it.

Isnt this basically implementing the systemd approach, where a package
would ship default configuration in /usr/lib/package (with all defaults,
which dont need to be commented out) and the user can override by
putting files in /etc/package -- either by copy-and-edit or just adding individual changes. (I think systemd-sysctl does this, also suppporting
/run/ for temporary changes?)

I think systemd can already tell you how the locations have been merged together (eg 'systemctl cat' does this), but perhaps what is missing is
a way to see what changed on upgrade (you'd want to save the clean
version from the _previous_ version of a package to be able to do that
after the upgrade)?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Dec 20, 2024 at 09:55:17AM +0100, Samuel Thibault wrote:

Josh Triplett, le jeu. 19 déc. 2024 19:05:56 -0800, a ecrit:

Samuel Thibault wrote:

Ansgar 🙀, le jeu. 19 déc. 2024 16:21:03 +0100, a ecrit:

And it is actively harmful as if one edits the example configuration to have a useful configuration as dpkg will start annoying admins with "the example configuration has changed; what do you want to do" messages.

Yes, but the thing is: I *do* want to see that message, to make sure
what changed upstream and fix my manual configuration accordingly.

There are (at least) two different models of handling configuration
here; people used to one model find the other to be awkward and cause problems, and vice versa.

In the model where you augment the default system configuration by
adding files in /etc, you ideally don't *need* a complete copy of the configuration file.

Yes, that's why having both the ready-to-be-modified model *and* a .d/ directory fits both cases.

I'm talking about the "empty /etc" model here, which is why I'm trying
to find a solution so that people who *want* the file-full-of-comments
have it, without installing it for people who *don't* want it.

Then, we could have a package (e.g. "etc-commented-defaults") with an on-installation trigger for that location, which automatically copies
over the defaults to /etc if they don't already exist, updates them if
they match the defaults, and (ideally) has a ucf-style mechanism for the case where they've been changed.

But isn't it what we already have? If I don't modify the example in /etc

No, the model I was describing would have *no* file in /etc if you
remove `etc-commented-defaults`. The point here is to support the users
who want an empty /etc and the users who want files full of
commented-out defaults.

Right now, the model we have is "some packages use the empty /etc model,
some packages install commented-out defaults, and there's no
consistency". I'd love to move to the model of "all packages use
whichever model the sysadmin prefers".

- Josh Triplett

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Josh Triplett, le ven. 20 déc. 2024 02:05:30 -0800, a ecrit:

On Fri, Dec 20, 2024 at 09:55:17AM +0100, Samuel Thibault wrote:

Josh Triplett, le jeu. 19 déc. 2024 19:05:56 -0800, a ecrit:

Samuel Thibault wrote:

Ansgar 🙀, le jeu. 19 déc. 2024 16:21:03 +0100, a ecrit:

And it is actively harmful as if one edits the example configuration to
have a useful configuration as dpkg will start annoying admins with "the example configuration has changed; what do you want to do" messages.

Yes, but the thing is: I *do* want to see that message, to make sure what changed upstream and fix my manual configuration accordingly.

There are (at least) two different models of handling configuration
here; people used to one model find the other to be awkward and cause problems, and vice versa.

In the model where you augment the default system configuration by
adding files in /etc, you ideally don't *need* a complete copy of the configuration file.

Yes, that's why having both the ready-to-be-modified model *and* a .d/ directory fits both cases.

I'm talking about the "empty /etc" model here, which is why I'm trying
to find a solution so that people who *want* the file-full-of-comments
have it, without installing it for people who *don't* want it.

What I completely fail to understand is why people would want to not see
any file in /etc. What harm does it *actually* cause?

Right now, the model we have is "some packages use the empty /etc model,
some packages install commented-out defaults, and there's no
consistency". I'd love to move to the model of "all packages use
whichever model the sysadmin prefers".

Yes, agreeing on something (but also... actually getting it to actually happen...) would be better than the current situation.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Fri, 2024-12-20 at 11:50 +0100, Samuel Thibault wrote:

What I completely fail to understand is why people would want to not
see any file in /etc. What harm does it *actually* cause?

It makes it hard to see what was actually configured: there is random configuration bits, possibly from a random older version of the
package, intermixed with local configuration.

With empty-/etc, you would (ideally) only have explicit local
configuration in /etc which makes it much, much easier to see what the
local admin changed to diagnose problems, prepare upgrades and so on.
This is practically impossible now.

It also avoids the problem of removed-but-not-purged packages.

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Dec 19, 2024 at 08:36:25AM -0600, rhys wrote:

What group of idiots came up with a system where instead of having all of the configs in maximum of two places (/etc | ~/.config) have now spread them out across five completely separate directory trees?

The group is called "The Linux Userspace API (UAPI) Group", and according to their home page, it consists of from people from Ubuntu Core, Debian, GNOME OS, Fedora CoreOS, Endless OS, Arch Linux, SUSE, Flatcar, systemd, image-builder/osbuild, mkosi, tpm2-software, System Transparency, buildstream, BTRFS, bootc, composefs, (rpm-)ostree, Microsoft, Amazon, and Meta.

You are free to disagree with this design, but please don't call the people behind it idiots. I am pretty sure there are plenty of very competent people who have given this a lot of thought.

I do tend to reserve my contempt to the few cases where it is appropriate.

But seriously, after 30+ years of working with various systems from NeXTStep to Windows to VAX, this all smacks of people who haven't learned anything from history and/or haven't spent enough time managing more than a few systems in one or two contexts.

"A lot of thought" in an echo chamber still has the same result, only worse. It reinforces itself without any real basis.

So now they're suggesting going down a road we've been down before. More than once.

Therefore, "idiots."

Sorry, but repeating history when nothing about the underlying situation has changed will never be smart.

--J

Rhys,

this mailing list is covered by the Debian CoC. Calling anyone names
is inappropiate, so either cease doing so on Debian resources or stop
posting at all.

--
tobi

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmdlVmEACgkQkWT6HRe9 XTaiaA//f5j4kt943Dt3Geiscawe3al5ekDpUCo4eIY2h1dDuRCySYjLIk1/a1qd U64w9gGDPEXf/546vFzjGl8I9MylAiTfS3nfba1Bs+OPYeOzjOaJsWyuNCKhaov4 3asqOsSCrT5pKEDguhXrtEZbTHNtXZOHU4kDR5TzXtJBxSuWJgXKvVuIrXSxUSZb CfHdLh+KiAO5uc+g1Zl1s0kZw4HkyQ653STw/rrLbg8MymMTB+z3X1ePHHeHMJ/b 0JnrGndtlTOc8MbUCqk3v2gPHccBFs3mb8DM7MJHHjAGPndnhd4UYtBwJy4X5tl8 vsyhPdqym0wfSCTKxhNxFnEWNX1Jg8KnFt0NcZCdRyjxHP2dF1ms4ctT6spueoJq ckIS2tUR/ysfNRp2PWdjH3fRYWuQpRFIETQ8kjWDmL5ozQQT57QKaGTICbdytvO0 cvngnayIE6Qpdxjnc2WaUVw+Sq7Ef7qGOqcpGabJis1Cw/+NoP5qGAnAHp0YFbXn 6441bSdSiXaBR/W8K67NSERm7XOBV2S283YqZbHdl4YHlRrVNGxOzP1C5FsNS0vu nQU5WiOApv1fx7T5DFPO4rgMK2UzChzk9K3jI9PNlh4DLY1/nwwmGaYVYJZzmC7d fNcN4BQDJ7FOcX4YeoO9MQY3JkZJ6FLjpv3Nym8f8IRR0k5oZpQ=
=a1eF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2024-12-20 at 12:01 +0100, Ansgar 🙀 wrote:

With empty-/etc, you would (ideally) only have explicit local
configuration in /etc which makes it much, much easier to see what the
local admin changed to diagnose problems, prepare upgrades and so on.
This is practically impossible now.

It would obviously be ideal for stateless systems as well:  http://0pointer.de/blog/projects/stateless.html

Which is radically different from what Debian (a traditional stateful
system) is today, but keeping /etc clean and tidy would still have some benefits.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ansgar 🙀, le ven. 20 déc. 2024 12:01:24 +0100, a ecrit:

On Fri, 2024-12-20 at 11:50 +0100, Samuel Thibault wrote:

What I completely fail to understand is why people would want to not
see any file in /etc. What harm does it *actually* cause?

It makes it hard to see what was actually configured: there is random configuration bits, possibly from a random older version of the
package, intermixed with local configuration.

With empty-/etc, you would (ideally) only have explicit local
configuration in /etc which makes it much, much easier to see what the
local admin changed to diagnose problems, prepare upgrades and so on.
This is practically impossible now.

ucf should be able to provide this?

Put another way: it's not the presence of files in /etc that poses
problem. It's not having the shipped version at hand for comparing it.
Let's fix that rather than dropping something which is useful to admins.

It also avoids the problem of removed-but-not-purged packages.

With files copied into /etc, you will still have configuration files
lying around, and *not tracked*.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Henrik Ahlgren, le ven. 20 déc. 2024 13:47:24 +0200, a ecrit:

On Fri, 2024-12-20 at 12:01 +0100, Ansgar 🙀 wrote:

With empty-/etc, you would (ideally) only have explicit local
configuration in /etc which makes it much, much easier to see what the local admin changed to diagnose problems, prepare upgrades and so on.
This is practically impossible now.

It would obviously be ideal for stateless systems as well:  http://0pointer.de/blog/projects/stateless.html

But being "ideal" doesn't mean it should harm other workflows. If there
is an easy-enough way to check if /etc is unmodified (that's the whole
point of ucf), why not just use it rather than change everything?

Again, it's not the *presence* of files in /etc that is the actual
problem that is being addressed. While it's their presence that helps
people who use stateful configuration.

Samuel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Fri, 2024-12-20 at 13:00 +0100, Samuel Thibault wrote:

Ansgar 🙀, le ven. 20 déc. 2024 12:01:24 +0100, a ecrit:

On Fri, 2024-12-20 at 11:50 +0100, Samuel Thibault wrote:

What I completely fail to understand is why people would want to not
see any file in /etc. What harm does it *actually* cause?

It makes it hard to see what was actually configured: there is random configuration bits, possibly from a random older version of the
package, intermixed with local configuration.

With empty-/etc, you would (ideally) only have explicit local
configuration in /etc which makes it much, much easier to see what the local admin changed to diagnose problems, prepare upgrades and so on.
This is practically impossible now.

ucf should be able to provide this?

No, first you would need something on top of ucf. Then you would need
to make sure admins don't keep parts from random older versions which
cause noise.

And then you would need all packages to switch to ucf. Which AFAIU
requires maintainer scripts which is something people would like to
avoid as well. (To be fair: alternatives also require packaging
changes.)

Put another way: it's not the presence of files in /etc that poses
problem. It's not having the shipped version at hand for comparing it.
Let's fix that rather than dropping something which is useful to admins.

It also avoids the problem of removed-but-not-purged packages.

With files copied into /etc, you will still have configuration files
lying around, and *not tracked*.

That problem doesn't exist if you don't copy unneeded files to /etc.

Copying files to /etc and then writing logic to filter those out of
some comparisons seems more complicated than just not copying needed
stuff. It also means I don't have to use a special program to see what
changed.

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 20 Dec 2024 02:05:30 -0800
Josh Triplett <josh@joshtriplett.org> wrote:

I'm talking about the "empty /etc" model here, which is why I'm trying
to find a solution so that people who *want* the file-full-of-comments
have it, without installing it for people who *don't* want it.

This sounds to be a reasonable philosophy. I support this idea.

No, the model I was describing would have *no* file in /etc if you
remove `etc-commented-defaults`. The point here is to support the
users who want an empty /etc and the users who want files full of commented-out defaults.

This model approach seems to be an universal solution. Shifting the
decision to users'/admins' choice and style would be a huge improvement.
--
kind regards
Frank

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE86z15c6qwvuAkhy+zDIN/uu9BloFAmdlZ3QACgkQzDIN/uu9 BlrCqQv/SEJqdvY2hEIDDVMgfXdTMhai8qmStW6qzMnVJFcUDcaEIjHu/wyd9Mz3 qdY+n28WrAzy/DV8O+KOQVGMFKR6t9C1SO7ryS86TFEZ86Qq1U+KxF8BXADR+R/F 1kPpOMWa8MzpadljY21IEk1QhqpafGbcCKWWEh0Yb+P8B0mxiRE8JQYKit50dU1Y pUd4NMUelSeemV07xy4n3Pw40k7rpCnvVPWo1JXcPgom+XqTT0Ld4yLEBNOwl0wG c7fpG7+FS3XoJrQemkQuWHj9n2Y5cGLXPz2MsmcUoElHyACs83qfL4WL37UL5EH4 4NZ/gj4AcfwqSjPrlNs3z1w895wYQYpK0y1dNEfKzHqyG2M6vAaL09rz88PHpSJA pEK+ekuHCTNHM/cpzvfYJIW5a/E+waoD1fMLWjI3BEyYAHqkIH0l4mwVbeC2sCUW KtjEafdgoZkJGlD7Kyh7SKj4R3QA+Vd+9uEzkdOcHQzbuzna6G5rVH7OMefy/cVS
7zo8grsr
=vOTN
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Suppose that packages ship sample configuration files *that exactly
match their defaults* (which should in general mean that everything is
commented out) in some standardized path under /usr/share/doc/$package/
(e.g. examples/etc), that makes it easy to see what path the example
corresponds to in /etc.

Then, we could have a package (e.g. "etc-commented-defaults") with an
on-installation trigger for that location, which automatically copies
over the defaults to /etc if they don't already exist, updates them if
they match the defaults, and (ideally) has a ucf-style mechanism for the
case where they've been changed. That package could also provide scripts
for easily seeing the diffs between your configuration and all the
defaults.

Users who *don't* want that behavior can remove that package, and users
who *do* want that behavior could install it.

Isnt this basically implementing the systemd approach, where a package
would ship default configuration in /usr/lib/package (with all defaults, which dont need to be commented out) and the user can override by
putting files in /etc/package -- either by copy-and-edit or just adding individual changes. (I think systemd-sysctl does this, also suppporting
/run/ for temporary changes?)

I think systemd can already tell you how the locations have been merged together (eg 'systemctl cat' does this), but perhaps what is missing is
a way to see what changed on upgrade (you'd want to save the clean
version from the _previous_ version of a package to be able to do that
after the upgrade)?

This is why there won't ever be "one policy to rule them all" for configuration files. The issue isn't an inconsistency in the way the packages are built. Sufficient work by packaging teams, over time, could simply set a policy and work toward that.

The problem is that different apps interpret their configs in different ways when a directive is encountered multiple times:

1. second instance overrides
2. first instance overrides
3. instances accumulate
4. error condition

That's just off the cuff. There are probably more cases involving context-specific instances and so on. But this variation is necessary as each case will follow the needs of the package.

If I were in charge of the world (which I am not), I would merge the "Splunk approach" with some of the comments I've seen here as follows:

1) "package defaults" and/or "package templates" in /usr/share. These would be meant as references and/or as a means to restore a package back to defaults if/when the active configs are such a mess that the admin decides to start over.
2) "system global" in /etc/package/package.conf. This could be the "everything commented" style, like sshd, or it could be the actual defaults like Splunk, depending on whether the package does "overrides" or not. Splunk does overrides. Sshd does not.
3) "site add-ins" in /etc/package/conf.d (or similar). We're all familiar with this. I don't need to explain.

This way, all configs for $package are in /etc/package. I still think it's reasonable to have package.conf and package.d/ in /etc, though it's kind of annoying in a few cases. Either way, the active configs are simple to find, but are still technically
separated from the documentation/failsafe defaults in /usr/share which acts like a sort of "vault" that isn't part of the active config (and is thus less likely to be modified by inexperienced admins who ignore the "DO NOT EDIT THIS FILE" warning at the
tops of default global configs).

Any package that allows ~/.config/user-overrides isn't really affected by any of this. Those are all the user's problem, though nothing precludes a /usr/share/package/user-orverrides example file for whatever reason that might be useful.


What I don't think will ever be unified is the contents of that global config, wherever it lives. Some will be "defaults all shown and active." Others will be "defaults shown but commented." Still others will be "defaults shown but must be edited" (
NTP). I don't think there's much of a way around that, since developers will code their packages the way they want to, and preferences about this sort of thing are too much subject to drift over time.

(Side note: It would be handy for these styles to have names, just to speed up conversation, assuming they don't already.)

Anyway, I don't see these variations as a weakness, but rather as a demonstration of the flexibilty of the system. While it's certainly good to have one or more recommended ways of doing things, there doesn't have to be One Right Way for everything.
That would be both boring and restrictive.

--J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Samuel Thibault <sthibault@debian.org> writes:

It seems way more often to me that I want to easily inspect/modify/amend
the configuration in /etc (without having to look whatever other place
to find out about the default configuration) than checking what changes
I have made to /etc which I may not want any more. And thus having a
special program for the latter looks completely fine to me. That's what people do with etckeeper and such already.

And this is the root of the problem: you want one thing for understandable reasons, and other people, like myself, would prefer the opposite behavior
of having /etc empty by default for different understandable reasons. We
both understand the other's point of view and simply disagree about the
merits of the features of the two methods.

Neither side of this preference is going to convince the other any more
than I am going to convince everyone to use Emacs, and yet every time we
have this discussion it turns into an extended effort to convince people
with the opposite preference.

Maybe it would be more productive to take the preference disagreement as
given and then try to figure out how to proceed given that we're never
going to all agree on the best way of handling configuration files? Is
there some way that we can try to accomodate both groups?

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 20 Dec 2024 11:50:57 +0100, Samuel Thibault
<sthibault@debian.org> wrote:

Josh Triplett, le ven. 20 déc. 2024 02:05:30 -0800, a ecrit:

I'm talking about the "empty /etc" model here, which is why I'm trying
to find a solution so that people who *want* the file-full-of-comments
have it, without installing it for people who *don't* want it.

What I completely fail to understand is why people would want to not see
any file in /etc. What harm does it *actually* cause?

Empty /etc is another idea of the people who sell a distribution that
has config file handling that is WAY inferior to what we have since 20
years. And ours is bad in some regards already.

Please don't adopt everything that Red Hat has come up with when we
have been better than that for ages.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Russ Allbery wrote:

And this is the root of the problem: you want one thing for understandable reasons, and other people, like myself, would prefer the opposite behavior
of having /etc empty by default for different understandable reasons. We
both understand the other's point of view and simply disagree about the merits of the features of the two methods.

Neither side of this preference is going to convince the other any more
than I am going to convince everyone to use Emacs, and yet every time we
have this discussion it turns into an extended effort to convince people
with the opposite preference.

Maybe it would be more productive to take the preference disagreement as given and then try to figure out how to proceed given that we're never
going to all agree on the best way of handling configuration files? Is
there some way that we can try to accomodate both groups?

Elsewhere in the thread, I suggested a way to do exactly that:

https://lists.debian.org/msgid-search/Z2TfFJX8x-E0Ot12@localhost (https://lists.debian.org/debian-devel/2024/12/msg00431.html)

We could have a package that, when installed, ensures that packages have default/commented/etc configuration files in etc, and when *not*
installed, ensures that packages don't install files that match their
defaults.

(That message outlines one possible implementation strategy, but many
different approaches could work. The key detail is to tie it to
something the sysadmin can control.)

This would make folks who want a template-populated /etc happier because packages currently following the empty-/etc model would better respect
their preferences. And it would make folks who want an empty /etc
happier because packages currently following the template-populated-/etc
model would better respect their preferences. This would also give us a standardized location for template /etc files, which would help folks
using either model.

I'm *not* suggesting this would be a rapid change, but it could help us gradually work towards more uniform behavior, without people having to
give up the advantages of the model they prefer.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-12-19 Andrey Rakhmatullin <wrar@debian.org> wrote:

On Thu, Dec 19, 2024 at 04:58:06PM +0100, Samuel Thibault wrote:

And it is actively harmful as if one edits the example configuration to
have a useful configuration as dpkg will start annoying admins with
"the example configuration has changed; what do you want to do"
messages.

Yes, but the thing is: I *do* want to see that message, to make sure
what changed upstream and fix my manual configuration accordingly.

In my (narrow) experience it's often the version number at the top and
typo and whitespace fixes.

Hello,

Please submit bug reports against packages keeping (and updating) the
version number in a dpkg conffile and triggerring unnecessary conffile
prompts.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Dec 20, 2024 at 08:37:33AM -0600, rhys wrote:

Right now, the model we have is "some packages use the empty /etc model, some packages install commented-out defaults, and there's no
consistency". I'd love to move to the model of "all packages use
whichever model the sysadmin prefers".

Speaking as a sysadmin, I MUST ACCEPT the fact that I don't write this code. This is not my code. I can't always have my way. If the developer for a package decides that a different way is best for their package, so be it.

Debian is not a distribution that says "whatever upstream does is always right". We have Debian Policy for a reason, and part of the point of a distribution is to ensure packages meet that policy, providing uniform
behavior for sysadmins. Policies don't change overnight, but over time
we can steer in a general direction.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 21 Dec 2024 07:33:46 +0100, Andreas Metzler <ametzler@bebt.de>
wrote:

On 2024-12-19 Andrey Rakhmatullin <wrar@debian.org> wrote:

On Thu, Dec 19, 2024 at 04:58:06PM +0100, Samuel Thibault wrote:

And it is actively harmful as if one edits the example configuration to >>>> have a useful configuration as dpkg will start annoying admins with
"the example configuration has changed; what do you want to do"
messages.

Yes, but the thing is: I *do* want to see that message, to make sure
what changed upstream and fix my manual configuration accordingly.

In my (narrow) experience it's often the version number at the top and
typo and whitespace fixes.

Hello,

Please submit bug reports against packages keeping (and updating) the
version number in a dpkg conffile and triggerring unnecessary conffile >prompts.

Maybe our conffile handling should be modified to automatically accept comment-only changes to dpkg-conffiles.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-12-22 at 08:37 +0100, Marc Haber wrote:

Maybe our conffile handling should be modified to automatically
accept comment-only changes to dpkg-conffiles.

Greetings
Marc

That would require to tag what is considered a comment for each
conffile.

While most config files seem to use a # marker, other use ; (e.g.
php.ini), // or /* (firefox-esr) or even " (vimrc).

Some conffiles support multiple types of comments, while others none at
all. In some cases comments may be added at the end of lines, others
require that the comment starts the line, albeit whitespace is
*sometimes* allowed before.
In some cases conf files support a full shell syntax (you could comment
with if false; then ... fi), others only accept a tiny subset. In some
cases you can provide a multiline literal containing a comment-marker
(and there could be reasons for that, such as setting a banner with #
lines).

courier uses # comments, but lines beginning with ## are special, it
uses them so that their conffiles can be automatically upgraded (it is
clever solution to the configuration-options-change-between-versions
problem, but again, specific to this package).


I do think it would be good that it was able to do some comment-merging
(even if it is just telling you "the conffile changes are irrelevant"),
but it would require to at least define some classes of etc files on
which that would be supported (a compillation that would be useful for
other users as well, such as editors).


Regards

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-12-20 at 11:42 -0800, Russ Allbery wrote:

Maybe it would be more productive to take the preference disagreement as given and then try to figure out how to proceed given that we're never
going to all agree on the best way of handling configuration files? Is
there some way that we can try to accomodate both groups?

Create a diversion from /etc to /usr/share/etc-conffiles-as-packaged

Mkdir your almost-empty etc folder on /root/etc-changes

Use a unionfs or union mount to combine /usr/share/etc-templates-as-packaged + /root/etc-changes mounted on /etc


As the cherry on top of the cake, there could be a package that did
this automatically.


The trickiest part is probably that, for early daemons to correctly use
that /etc, you may need to do that early in the boot process, in the
initrd, which is less comfortable to code. Alternatively, perhaps a
stub config on /etc would be enough for bootstrapping this (systemd
might interfere with this, though).



(*) I'm not sure the dpkg-divert mechanism would be able to handle a
diversion of /etc, but adding such support if missing would be simple
and *consistent* with the rest of the system.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Dec 21, 2024 at 04:38:46PM -0800, Josh Triplett wrote:

On Fri, Dec 20, 2024 at 08:37:33AM -0600, rhys wrote:

Right now, the model we have is "some packages use the empty /etc model, some packages install commented-out defaults, and there's no consistency". I'd love to move to the model of "all packages use whichever model the sysadmin prefers".

Speaking as a sysadmin, I MUST ACCEPT the fact that I don't write this code. This is not my code. I can't always have my way. If the developer for a package decides that a different way is best for their package, so be it.

Debian is not a distribution that says "whatever upstream does is always right". We have Debian Policy for a reason, and part of the point of a distribution is to ensure packages meet that policy, providing uniform behavior for sysadmins. Policies don't change overnight, but over time
we can steer in a general direction.

Debian is also a distribution which is worked on by volunteers, as
opposed to some distribution which employs wage slaves who have to do
whatever a product manager dictates.

So a question we have to ask ourselves is "is this worth our volunteer bandwidth"? And is it a good thing to have a Debian Policy that will
be wildly ignored, because no one has a time to make non-upstream
compliant changes (some of which might require making semantic changes
in how config files work --- example: ntp server specification has
mentioned upthread --- assuming that making a semantic change to a
config file not updated by upstream is a good thing, which I as an
upstream maintainer have a rather strong and violent reaction to with
respect to uppity distributions)?

Is having a single, unitary config file semantics a nice thing? Sure;
my having enough cash that I can work on whatever I want, and fund
teams to do whatever I want, as opposed to what my employer considers
important would also be "a nice thing". But we can't always have
everything that we want. Most of us are privileged enough to have
anything we want; but most of us also don't have enough resources to
have *everything* that we want.

- Ted

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Josh,

On Thu, Dec 19, 2024 at 07:05:56PM -0800, Josh Triplett wrote:

Suppose that packages ship sample configuration files *that exactly
match their defaults* (which should in general mean that everything is commented out) in some standardized path under /usr/share/doc/$package/
(e.g. examples/etc), that makes it easy to see what path the example corresponds to in /etc.

Then, we could have a package (e.g. "etc-commented-defaults") with an on-installation trigger for that location, which automatically copies
over the defaults to /etc if they don't already exist, updates them if
they match the defaults, and (ideally) has a ucf-style mechanism for the
case where they've been changed. That package could also provide scripts
for easily seeing the diffs between your configuration and all the
defaults.

I've had the same idea floating around my head for a while now too, thanks
for writing it down <3

While codifying the default config path (/usr/share/doc/examples/etc in
your example) in the long run would be nice and clean in many cases
individual maintainers would need to be convinced to follow that
convention, however the etc-commented-defaults package could also just
special case the locations where needed. I like that aspect of the idea.

As an example I'm familiar with iproute2 moved it's default config from /etc/iproute2 to /usr/share/iproute2 in trixie, that is it actually *loads*
the config from there, it's not just example files so in that case upstream patching or symlink trickery would be required to make the package
conformant to this convention.

I've tried arguing this is a blatant disregard of policy but that fell on
deaf ears so far.

I wonder how many other packages do this now that this idea of empty-/etc
is fashionable, I've no idea how we might find them though.

--Daniel

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEV6G/FbT2+ZuJ7bKf05SBrh55rPcFAmdpgHUACgkQ05SBrh55 rPel/hAAqj8acYMEq4A2/uh5hNFjEu4cIO9cC9/MEx5co5gYZ4lbZQN/cx0YuWTz ZTSoPlaYqCIhWOetJ64Sqaec5Cf97EnRQNeiRFmRu4RN9R4oH1mkpz9WPu9nrGjC NK+Rths922JDaF4wwmuoxiqXWmIXwI/2H1R82Joqlk3X3POzyRC0n3T9eTsMfPUs IKR0R6RY5lGo/ZPByPNDqdjSQmsSk8+XatVzqSPlq0IYAoe17NAKhui4SnimHOsD rmQBWifgBiGw/tNShpEBlPFfF99plz1OMw81w9Wab0+x7HK18DBLPb9Q20OZ9y5S NVg04Bla3DqISl2T1TYGI5+00PoEs7hnO3vVn9+Vsx7IVfiv7UiOpPAE5OacOyTp SrHwC2/7jY0WuO2pUzhL0uRctOwHxd6o6Ps9QcCkpRbG0fmtDtjgxCee/BWb4ASO WSrTFXpAgSEH3UiBg100htc1iHHk0jYBIPz2j+QOXyfd4NuXwkuUdq49nbV712T3 ZK2IAo9INCxUyJM3m0Be54y+NbOCJqsmLIa/ciisOZzBBjis4Gec+lVEsm+oHCOV O6Tv+uTwpI56dpxVePugATGf0NYPNbBM/51aXoOuc8xZUQJ1f9DgvxRWNZ8810/n PtX35zOSeJ2kmNeE35Qo+IN5rpE44LfdU9bH7D0d2G8AdcWuSlk=
=Let2
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 23/12/24 16:23, Daniel Gröber wrote:

As an example I'm familiar with iproute2 moved it's default config from /etc/iproute2 to /usr/share/iproute2 in trixie, that is it actually *loads* the config from there, it's not just example files so in that case upstream patching or symlink trickery would be required to make the package
conformant to this convention.

I've tried arguing this is a blatant disregard of policy but that fell on deaf ears so far.

How is that against policy?

Is it against policy to have default config values hardcoded in a
binary? Why things change if these hardcoded values are moved to a
read-only file in /usr? (The user/admin configuration is still in /etc.)

Regards,

--
Gioele Barabucci

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Gioele,

On Mon, Dec 23, 2024 at 08:34:57PM +0100, Gioele Barabucci wrote:

On 23/12/24 16:23, Daniel Gröber wrote:

As an example I'm familiar with iproute2 moved it's default config from /etc/iproute2 to /usr/share/iproute2 in trixie, that is it actually *loads* the config from there, it's not just example files so in that case upstream patching or symlink trickery would be required to make the package conformant to this convention.

I've tried arguing this is a blatant disregard of policy but that fell on deaf ears so far.

How is that against policy?

Debian policy section 10.7.2:

Any configuration files created or *used* by your package must reside in /etc, [...]

(Emphasis mine)

I recently also found rc_policy.txt section 3:

All configuration files must reside in /etc.

Is it against policy to have default config values hardcoded in a binary?

No, but if there's a config file that the program actually reads it has to
be in /etc. (Ok technically policy also allows to "put the files in /etc
and create symbolic links to those files from the location that the package requires." ;)

Why things change if these hardcoded values are moved to a read-only file in /usr? (The user/admin configuration is still in /etc.)

Because traditionally the expectation has been that editable files are
present in /etc. I don't think I've ever come across a package that
violated this expectation before this recent empty-/etc push but perhaps
others know of examples outside my bubble here?

--Daniel

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEV6G/FbT2+ZuJ7bKf05SBrh55rPcFAmdpwXUACgkQ05SBrh55 rPd2CQ/+JiyF6Z1dcdZ2kRaUhRa8c/M77zAkm0UZeyhEkR+uPBRi2bYFf9yBRwRm h3giErb5OzmyMsrnBDNNAKrpVQAbWbgrDD1hJGoo0DhLCP94PgBb3VV5ccWqubi9 htGx1K8Pn9C2GqhpLQUYBMOcsOZyZ30E2qVC2cmbyhNXc9mjKeKsqmi2HMSDbqWk ZJE491eAhnNkY8xnLziOI9mysiJbv1ck7N/uwLquvMIF+yRmYzwjp89YO4W0TQmo jOYUDs+lpsrBokfoqTI4wak17dlw6aJlI9ieXmFVIZjBsZG9pOgxHaAHzZDnyJc+ rNM/gPPD4bwjXW1ClzAx8if7S/tuNGCyFDKo9yky8mqW+AyNjYNQMesFSwGpWAKq MnJ6emGemdNpWzxO5gk49MSR59WiXBCaDUJVRe2/dPv0oEjqxqRw7Ax4GlEDy8hh aUPltZphlhWuZNsbn7l9c5LQti4Z8RlyFUV4W55pvBwQfrlnFrrwU9RlSQinDx7w JWDSqu7uRrA5MwzQ3DMWfU4gyBUl04TNENHOtx0FQ2PUstbBzjOEHl79dlBQ9jla 6tPpJD7dtEm8QL2mfu/QcbCq6/w13mq8WAg+1BZleywguEfmCONbnC1REFxJbxGD kGLSbCYFy4E6xA1oTUE5wFQ6sOehetgM6Wiv15sAShoUOG0SQog=
=dHnc
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Daniel Gröber <dxld@darkboxed.org> writes:

Debian policy section 10.7.2:

Any configuration files created or *used* by your package must reside in
/etc, [...]

(Emphasis mine)

Policy has a specific definition of configuration file, which makes your
point here somewhat ambiguous, but I can understand this misreading and therefore think this is a bug in Policy that we should fix. It has
certainly never been the case that every file loaded by a binary that
controls operation of that binary was required to be in /etc, and I can
name numerous packages that predate and are not attempting to follow the empty-/etc configuration model (such as zsh, autoconf, inn2, and every
package that loads *.desktop files) as obvious cases of loading
configuration information from /usr.

The intended principle here is that configuration files *that may be
edited by a system administrator* should be in /etc. Not files that are intended to be read-only or configuration information shipped by Debian
that the local administrator should not need to edit. That's entirely consistent with a model where the override files edited by the system administrator are in /etc and the defaults they are overriding are
somewhere in /usr; Policy doesn't care whether they are hard-coded inside
some binary or present on disk in some loadable form.

I'll open a bug against debian-policy so that we can clarify the wording
and avoid this misreading.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Dec 23, 2024 at 08:23:33AM -0500, Theodore Ts'o wrote:

On Sat, Dec 21, 2024 at 04:38:46PM -0800, Josh Triplett wrote:

On Fri, Dec 20, 2024 at 08:37:33AM -0600, rhys wrote:

Right now, the model we have is "some packages use the empty /etc model,
some packages install commented-out defaults, and there's no consistency". I'd love to move to the model of "all packages use whichever model the sysadmin prefers".

no one has a time to make non-upstream
compliant changes (some of which might require making semantic changes
in how config files work

I am not suggesting rewriting the handling of configuration files in
software, or modifying the software in any way. That's an independent
change and one that requires convincing upstream.

I am suggesting that, for software which *already* provides an
example/template configuration file (whether in /etc or in
/usr/share/doc), *and* which does something vaguely sensible without
having that file installed, we standardize the paths in which Debian
packages install those example/template configuration files, and provide
an easy way for sysdamins to decide whether those files get installed to
/etc or just stay in /usr/share/doc. That would *only* be a change to
Debian packaging, standardizing the locations in which files get
installed for consistency.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)