undefined | Better HN

0 pointscyberax18d ago0 comments

Most software doesn't need to resolve users. You also can always shell out to `id` if you need an occasional bit of metadata.

0 comments

jcgl18d ago

That's a fair point, and shelling out to id is probably a good solution.

I guess what bothers me is the software authors who don't think this through, leaving applications non-functional in these situations.

At least with Go, if you do CGO_ENABLED=0, and you use the stdlib functions to resolve user information, you end up with parsed /etc/passwd instead of shelling out to id. The Go stdlib should maybe shell out to id instead, but it doesn't. And it's understandable that software developers use the stdlib functions without thinking all too much about it. But in the end, simply advocating for CGO_ENABLED=0 results in software that is broken around the edges.

cyberaxOP16d ago

On the other hand, the NSS modules are broken beyond fixing. So promoting ecosystems that don't use them might finally spur the development of alternatives.

jcgl15d ago

Could be interesting. What do you see as the main problems with NSS? I've never needed to use it directly myself. It seems quite crusty of course, but presumably there's more that your referencing.

Moving from linking stuff in-process to IPC (such as systemd-userdbd is promoting) _seems_ to me like a natural thing to do, given the nastiness that can happen when you bring something complex into your own address space (via C semantics nonetheless). But I'm not very knowledgeable here and would be interested to hear your overall take.

1 more reply

j / k navigate · click thread line to collapse