[arch-general] PAM 1.3.1 -> 1.5.1 did pam_tally get removed?
David C. Rankin
drankinatty at gmail.com
Wed Feb 24 02:08:42 UTC 2021
On 2/22/21 6:58 AM, Anton Hvornum via arch-general wrote:
> I added 2FA way back when to /etc/pam.d/system-login and that meant
> that pacman placed a .pacnew file alongside the modified system-login
> (as expected) on upgrade.
> But the notification about this got lost in the sea of packages which
> is on me of course. But seeing as this is a modification to a system
> critical file can (and did) cause a complete lockout of accounts on
> the machine due to `auth required` being the keywords put in place.
> I would have expected this to be on the bulletin board about possible
> manual intervention required.
Arch does a fantastic job in doing all that it does in a rolling release, so
don't take this the wrong way, but I do agree with Anton a bit here. Over the
years (12 now), there have been 4-5 times that an update with pacman -Syu has
left me with either a critical server package in need of an immediate day long
learn and reconfigure session, or a change has left remote adminned machines
unreachable.
(considering the 100's of thousands of package upgrades over those 12 years,
those are quite good stats)
But if there is any way to do a double-check on system critical or server
critical packages and drop a note if some type of breakage or immediate
attention will be needed would be welcomed.
I know, I know, in a perfect-world we would have all the manpower desired to
look at ever aspect up potential adverse impacts and would all be informed of
each upcoming change, but we live in the real-world and there will be some
changes that hit some harder than others. I can't see the user solution being
building different systems to pre-check if pacman -Syu is advisable.
The Arch way has always been that only current systems fully updated by pacman
-Syu are supported and throughout the wiki, etc.. the advice being "make sure
you do a pacman -Syu before ..." We should ensure, to the greatest extent
possible, that
(1.) pacman -Syu remains the safe, gold-standard on how updates are done, and
(2.) make a good effort to note any changes likely to cause problems on
archlinux.org.
It's hard to make what is already done well, better, but there is always room
for improvement.
--
David C. Rankin, J.D.,P.E.
More information about the arch-general
mailing list