[arch-general] PAM 1.3.1 -> 1.5.1 did pam_tally get removed?
arch at eckner.net
Wed Feb 24 05:02:51 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 23 Feb 2021, David C. Rankin via arch-general wrote:
> On 2/22/21 6:58 AM, Anton Hvornum via arch-general wrote:
>> I added 2FA way back when to /etc/pam.d/system-login and that meant
>> that pacman placed a .pacnew file alongside the modified system-login
>> (as expected) on upgrade.
>> But the notification about this got lost in the sea of packages which
>> is on me of course. But seeing as this is a modification to a system
>> critical file can (and did) cause a complete lockout of accounts on
>> the machine due to `auth required` being the keywords put in place.
>> I would have expected this to be on the bulletin board about possible
>> manual intervention required.
> Arch does a fantastic job in doing all that it does in a rolling release, so
> don't take this the wrong way, but I do agree with Anton a bit here. Over the
> years (12 now), there have been 4-5 times that an update with pacman -Syu has
> left me with either a critical server package in need of an immediate day long
> learn and reconfigure session, or a change has left remote adminned machines
I have been there too, and there are some things I do (besides checking
the news and running pacdiff) which will help:
1. Use some wrapper around pacman, which gives me an "emergency" shell, in
case the system becomes unreachable (think: new ssh connections being
rejected due to some change in ssh).
2. Revert the update if I really need the system *now* and cannot invest
the time *now* to repair whatever was broken.
3. Do the update when noone desperately needs the machine (Once, I did a
reboot of the lab server in the morning and it decided it will fsck the
data raid which took over an hour ... fun, fun, fun)
4. Build my own packages with as many depends=(libfoo.so) dependencies
instead of depends=(foo) as possible, so already `pacman -Syu` will
complain about broken linking. Here, I want to say a big THANKS to arch
package maintainers for including more and more provides=(libfoo.so) into
[ ... snip ... ]
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the arch-general