Hi Lorenzo, On Mon, Mar 17, 2025 at 12:47:43AM +0100, Lorenzo wrote: > pushed a version of the patch with xchpst in invoke-run that uses the > --file option. Hoping that it works as expected, this is what I'm > comfortable to add at this stage of the release process to allow > experimenting with xchpst and runscripts in Trixie.
Excellent, thanks! > That said, I know this is your least favorite option, I think there are > still important details that need to be looked at, and I propose that > we take the time to do the testing during early Trixie cycle and then > define the final version of the xchpst integration. It seems to work - all in, it's a neat solution. > On Thu, 27 Feb 2025 22:52:47 +0000 > Andrew Bower <and...@bower.uk> wrote: > > > I had a look at runscripts and chpst is rarely used, often with one > > > option like 'chpst -uuser' or 'chpst -mNNN' or the like, so > > > for instance (stealing the idea from the power-profile-daemon > > > chatting we had), > > > > You are right. This does slightly call into question one of my core > > design principles, which was to be similar in form to and compatible > > with chpst - what is the point if chpst is rarely used? But we are > > here now and I think xchpst does basically do its job reasonably well! > > I still think being compatible with chpst is added value, you never > know how a user or another distro may want to use it Good to know! > > The '--exit' option was specifically added to return exit code 0 so > > that it could be used as a test for presence of xchpst - it can also > > check compatibility with the selected options. > > this needs to be thought carefully: a related issue is to decide what to > do if one or more required hardening options are not applicable; it > looks like security vs resilience tradeoff. it needs to be sorted out > in xchpst first. Yes, this needs review. We should hope that in most cases, rather than a trade-off, there is an obvious right answer (abort or continue as best effort) so we can minimise excess complexity in configuration. The purpose of the option check with '--exit' is to check whether the tool understands them, rather than whether they can be applied. This is necessary because of ambiguity with getopt-style option parsing when the option set is unknown. In fact with the file-specified options we don't need to worry about that and it might be worth considering simply ignoring unknown options _in the file_. Thanks again for adding the compat, Andrew
