Bug 39611

Summary: [PATCH] warn if people use at_console
Product: dbus Reporter: Lennart Poettering <lennart>
Component: coreAssignee: D-Bus Maintainers <dbus>
Status: RESOLVED MOVED QA Contact: D-Bus Maintainers <dbus>
Severity: normal    
Priority: medium CC: chengwei.yang.cn, dh.herrmann, msniko14, smcv, teg, walters
Version: 1.5Keywords: patch
Hardware: All   
OS: All   
Whiteboard: review?
i915 platform: i915 features:
Attachments: the patch
the patch, take 2
the patch, take 3

Description Lennart Poettering 2011-07-27 21:04:56 UTC
Created attachment 49643 [details] [review]
the patch

I think it is time to get rid of at_console, people should really use PK instead. As a first step towards removal, warn if people use it.
Comment 1 Simon McVittie 2011-07-28 07:44:25 UTC
Review of attachment 49643 [details] [review]:

Fair enough, but...

::: bus/config-parser.c
@@ +1057,3 @@
                e->d.policy.type = POLICY_CONSOLE;
+
+               _dbus_warn ("Obsolete at_console policy used in message bus configuration file.\n");

In practice nobody's going to see this: dbus-daemon normally closes its stderr. You want _dbus_system_log(), I think (that writes to syslog).
Comment 2 Lennart Poettering 2011-07-28 12:41:16 UTC
Created attachment 49683 [details] [review]
the patch, take 2

ok, this one uses syslog for this message.
Comment 3 Colin Walters 2011-07-28 19:15:19 UTC
We can get the information with grep on source code...not really convinced this is going to make people write patches.  But maybe link to this bug?  You can use https://bugs.freedesktop.org/39611 which is shorter.

I think in practice what will happen is people will file bugs on dbus here or in distribution trackers.
Comment 4 Simon McVittie 2011-07-29 05:06:02 UTC
(In reply to comment #3)
> I think in practice what will happen is people will file bugs on dbus here or
> in distribution trackers.

Yeah, that seems likely, unfortunately; better to just fix the services directly.

Perhaps we could get a check added to lintian and rpmlint?
Comment 5 Lennart Poettering 2011-08-24 15:53:15 UTC
(In reply to comment #3)
> We can get the information with grep on source code...not really convinced this
> is going to make people write patches.  But maybe link to this bug?  You can
> use https://bugs.freedesktop.org/39611 which is shorter.
> 
> I think in practice what will happen is people will file bugs on dbus here or
> in distribution trackers.

I have done similar warnings a couple of times in the past, for example in order to get people use Avahi's native API instead of the bonjour API. I got a couple of complains (4 or so), but in the end a lot of developers came to us interested to get more information, and I think they wouldn't have come so quickly if we hadn't spit out those warnings. So I think it worked, and I think we could repeat it here.
Comment 6 Lennart Poettering 2011-08-24 15:55:03 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > I think in practice what will happen is people will file bugs on dbus here or
> > in distribution trackers.
> 
> Yeah, that seems likely, unfortunately; better to just fix the services
> directly.

Well, I think we don't scale that well ;-)

> Perhaps we could get a check added to lintian and rpmlint?

It reaches the wrong people with lintian/rpmlint. You want the developers, and people pushing the developers. Since the developers have to test their stuff, you want those warnings on their screens. And you want the users to file bugs. Hence runtime warnings are the best idea I think.
Comment 7 Lennart Poettering 2011-08-24 16:00:43 UTC
Created attachment 50556 [details] [review]
the patch, take 3

Another iteration, this time with the bugzilla URL.
Comment 8 Colin Walters 2011-08-25 11:14:57 UTC
Review of attachment 50556 [details] [review]:

I don't want to bikeshed this too much, but OK, I accept your argument about adding a bug link.

Just one other thing - should we perhaps just do this once?  Something like Linux kernel style:

#define WARN_ONCE(condition, format...)	({			\
	static bool __warned;					\
	int __ret_warn_once = !!(condition);			\
								\
	if (unlikely(__ret_warn_once))				\
		if (WARN(!__warned, format)) 			\
			__warned = true;			\
	unlikely(__ret_warn_once);				\
})
Comment 9 Lennart Poettering 2011-08-26 14:44:17 UTC
(In reply to comment #8)
> Review of attachment 50556 [details] [review]:

> Just one other thing - should we perhaps just do this once?  Something like
> Linux kernel style:
> 
> #define WARN_ONCE(condition, format...)    ({            \
>     static bool __warned;                    \
>     int __ret_warn_once = !!(condition);            \
>                                 \
>     if (unlikely(__ret_warn_once))                \
>         if (WARN(!__warned, format))             \
>             __warned = true;            \
>     unlikely(__ret_warn_once);                \
> })

Hmm, I don't think this would really work nor is really necessary, since this is a per-policy file thing (i.e. i don't think we should hide that app a has a file with at_console if app b has one too), and we only warn when we reload the policy (i.e. only once at boot, and once on upgrades where dbus is reloaded).
Comment 10 Colin Walters 2011-08-27 08:38:31 UTC
(In reply to comment #9)

> 
> Hmm, I don't think this would really work nor is really necessary, since this
> is a per-policy file thing (i.e. i don't think we should hide that app a has a
> file with at_console if app b has one too), and we only warn when we reload the
> policy (i.e. only once at boot, and once on upgrades where dbus is reloaded).

Fair enough - good to commit then as is now as far as I'm concerned.
Comment 11 Chengwei Yang 2013-12-10 09:50:06 UTC
Comment on attachment 50556 [details] [review]
the patch, take 3

Review of attachment 50556 [details] [review]:
-----------------------------------------------------------------

typo in commit msg: instea --> instead
Comment 12 Chengwei Yang 2013-12-10 09:52:27 UTC
If we are going to obsolete at_console, it's a good idea to mention that in dbus-daemon(1) too.
Comment 13 Simon McVittie 2014-09-23 18:17:50 UTC
(In reply to comment #6)
> It reaches the wrong people with lintian/rpmlint. You want the developers,
> and people pushing the developers. Since the developers have to test their
> stuff, you want those warnings on their screens. And you want the users to
> file bugs. Hence runtime warnings are the best idea I think.

I still think, in practice, the result of this patch is more likely to be people opening dbus bugs, either here or in their distros. I'm not going to veto someone else applying it, but I'm not going to apply it myself either.

Developers probably won't see this anyway, because the best we can do is to make it go to dbus-daemon's output in syslog/the Journal - it isn't going to show up in their daemon's output when they're debugging it, because it isn't their daemon that reads the policy files, it's dbus-daemon.

I've written a patch for Lintian: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762609>. When that gets applied, lintian.debian.org will list all the suspicious policies in Debian, which is a reasonably large subset of all the suspicious policies, and can give us an idea of the size of the problem.
Comment 14 Simon McVittie 2014-10-21 12:27:11 UTC
Live Lintian report: <https://lintian.debian.org/tags/dbus-policy-at-console.html>

I'm not sure that that report is fully accurate: maybe my patch was wrong. On my laptop, the bluez, hplip and system-config-printer packages have at_console in their policies, but they are not listed in that report.
Comment 15 Simon McVittie 2014-10-21 12:31:35 UTC
(In reply to Simon McVittie from comment #14)
> I'm not sure that that report is fully accurate

It isn't, but it will be eventually - not all packages have been processed with the new Lintian snapshot yet.
Comment 16 Tom Gundersen 2017-06-30 09:10:47 UTC
I've been looking into at_console recently (thanks for the lintian report, very useful). It appears to me that we are not really making much progress on getting people to stop using it. Any chance we could reconsider applying this patch to try to bring some attention to the issue?
Comment 17 Philip Withnall 2017-06-30 09:34:49 UTC
(In reply to Tom Gundersen from comment #16)
> I've been looking into at_console recently (thanks for the lintian report,
> very useful). It appears to me that we are not really making much progress
> on getting people to stop using it. Any chance we could reconsider applying
> this patch to try to bring some attention to the issue?

I think the problem is that adding polkit support to a project is seen as a lot of work, and at_console is trivial to use. As long as it continues to do what developers want, they’re going to continue to use it. I think a warning is going to get people to migrate to polkit only if it also comes with a deprecation timeline for at_console.
Comment 18 Simon McVittie 2017-06-30 09:39:12 UTC
(In reply to Tom Gundersen from comment #16)
> I've been looking into at_console recently (thanks for the lintian report,
> very useful). It appears to me that we are not really making much progress
> on getting people to stop using it. Any chance we could reconsider applying
> this patch to try to bring some attention to the issue?

I'm still concerned that the likely reaction to this patch is going to be people opening misguided bugs against dbus, either upstream or downstream.

I've also had feedback from the Lintian check that Debian developers seeing their packages flagged by that check would like to fix it, but don't know how. I don't think we have any particularly coherent documentation on why polkit is preferable to at_console, and on how to convert existing services to use polkit. Unless you know of such documents? If not, I've been meaning to write one for a while, but it's in the queue with many other dbus tasks (I work for a consultancy, so dbus is rarely my primary project).

If the message was more like

    dbus[123]: /etc/dbus-1/system.d/com.example.BadPackage.conf: at_console policy is deprecated, please convert the service to use polkit. See https://dbus.freedesktop.org/doc/at-console-deprecated.html for details.

(and if there was a suitable document behind that URL!) then I think maybe that'd be OK? That's more clearly putting the blame on whichever package owns that config file, which can be queried with whatever is this distro's equivalent of dpkg -S.
Comment 19 Philip Withnall 2017-06-30 10:13:46 UTC
(In reply to Simon McVittie from comment #18)
> (In reply to Tom Gundersen from comment #16)
> > I've been looking into at_console recently (thanks for the lintian report,
> > very useful). It appears to me that we are not really making much progress
> > on getting people to stop using it. Any chance we could reconsider applying
> > this patch to try to bring some attention to the issue?
> 
> I'm still concerned that the likely reaction to this patch is going to be
> people opening misguided bugs against dbus, either upstream or downstream.
> 
> I've also had feedback from the Lintian check that Debian developers seeing
> their packages flagged by that check would like to fix it, but don't know
> how. I don't think we have any particularly coherent documentation on why
> polkit is preferable to at_console, and on how to convert existing services
> to use polkit. Unless you know of such documents? If not, I've been meaning
> to write one for a while, but it's in the queue with many other dbus tasks
> (I work for a consultancy, so dbus is rarely my primary project).
> 
> If the message was more like
> 
>     dbus[123]: /etc/dbus-1/system.d/com.example.BadPackage.conf: at_console
> policy is deprecated, please convert the service to use polkit. See
> https://dbus.freedesktop.org/doc/at-console-deprecated.html for details.
> 
> (and if there was a suitable document behind that URL!) then I think maybe
> that'd be OK? That's more clearly putting the blame on whichever package
> owns that config file, which can be queried with whatever is this distro's
> equivalent of dpkg -S.

I entirely agree, although I think the warning would be more effective if it said ‘at_console policy is deprecated and will be removed in D-Bus x.y’, because people love to ignore deprecation warnings for as long as they can get away with.
Comment 20 Simon McVittie 2017-06-30 10:43:14 UTC
(In reply to Philip Withnall from comment #19)
> I think the warning would be more effective if it
> said ‘at_console policy is deprecated and will be removed in D-Bus x.y’,
> because people love to ignore deprecation warnings for as long as they can
> get away with.

To be able to do this, we need to be absolutely clear about why at_console is sufficiently problematic to justify an incompatible change (its deletion). "People should really use PK" doesn't seem like enough justification.

You know that there are good reasons, and I know that there are good reasons, but if those reasons aren't written down somewhere obvious then we are never going to convince the authors of something like BlueZ that they are good.

The reasons that I am aware of:

* polkit policies are defined in terms of high-level actions that are
  intended to make sense in a domain-specific way: for example, udisks2
  has distinct actions for "mount a system partition", "mount a partition
  of a removable disk on the same seat as the user" and "mount a partition
  of a removable disk on a different seat". D-Bus policy XML is entirely
  in terms of the mechanics of the message-passing, so it cannot make
  these domain-specific distinctions.

* Editing the D-Bus policy XML language is error-prone, because any
  configuration file can affect any service and the semantics are not
  obvious. The policy language that sysadmins wishing to vary policy are
  encouraged to edit should be something with fewer sharp edges, like
  the current JavaScript and former .pkla languages in polkit.

* It is technically very problematic for dbus-daemon to call out to D-Bus
  services to implement at_console, which is a problem for projects that
  reimplement the logind parts of libsystemd in terms of D-Bus calls to
  an alternative like ConsoleKit2, for example
  <https://github.com/dimkr/LoginKit>: a synchronous call would lead to
  immediate deadlock. polkit is fully asynchronous, and making it call
  out to D-Bus services is much more straightforward. libsystemd only
  manages to avoid this problem by using files in /run as its
  read-only IPC API for the parts of logind that dbus-daemon
  interacts with.

(Yes, by mentioning that last one I am deliberately trying to preempt people who might otherwise claim this is some sort of pro-systemd conspiracy. In fact it's somewhat the opposite - systemd-logind works fine with at_console, but loginkit wouldn't.)

Are there others?
Comment 21 Tom Gundersen 2017-07-13 14:38:51 UTC
Perhaps another argument against at_console, is that (at least in my view) its semantics is really not very intuitive. It gives the impression of being a dynamic property, but it isn't.

A priori, I would have thought that at_console would be true for any message being sent from a process in a session that is currently active on a seat. As we all know, that is not at all the case: the at_console property is pinned at connection time, and it is user-wide, rather than per session. This could easily cause connections to be considered at_console, even if the associated user is not. Or even more confusingly, you could have two connections in the same session at the same time, where one is considered at_console and the other isn't.

This isn't really a technical problem, as much as a messaging/documentation one, and I consider the main issue the last one Simon mentioned: having to do IPC in order to do IPC is just asking for trouble.
Comment 22 Philip Withnall 2017-09-22 09:41:56 UTC
Note the dbus-broker project is discussing ways of working around the latent need for at_console support here: https://github.com/bus1/dbus-broker/issues/56
Comment 23 GitLab Migration User 2018-10-12 21:11:45 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/dbus/dbus/issues/52.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.