On Wed, 2019-10-02 at 01:00 +0200, Danny Milosavljevic wrote:
I think you should start a thread on the guix-devel list expressing your
concerns, and we can discuss how to improve guix from there.
If PAM configurations should be up to the administrator, there should be
documentation to teach the administrator how to use them. The manual doesn't
say anything about how to use pam-services in operating-system, so I
submitted a bug report (bug #37583) requesting documentation.
I think I agree with your point that if a non-default configuration is
desired, administrators should be able to modify it, just like any other
part of the configuration. Ideally they can always opt-out of details they
I do not agree that we are deciding for the admins. This is just like the
discussion about whether GuixSD should include the /usr/bin/env and /bin/sh
special files by default, except there isn't any documentation on how to
opt out of or extend the default PAM services.
There must be a default for every detail. If a detail is found practical
most of the time, I think it is good to either have it as a default (like
/usr/bin/sh) or have a ready example of how to implement it viewable from
the install environment (like what we do with desktop environments) so most
users don't have to look up how to add it. That does not negate the ability
of power users and administrators to opt out in the operating-system
In the context of this patch, pam-limits is still opt-in. Perhaps a more
flexible fix would be to make the pam-limits-service-type accept an optional
list of strings identifying the configurations to create or modify to use
pam-limits, with the default being %default-pam-limits-service-names
defined as '("login" "su") which could then be appended to %slim-pam-
service-names '("slim") or %gdm-pam-service-names '("gdm-password" ...). If
you or anyone else wants to implement that proposal and update the
documentation so admins will know how to configure it, feel free.
I hope I did not misunderstand your comments. We can discuss this and your
other concerns in a guix-devel thread.