In message <rmiwtmmzp7a.fsf@fnord.ir.bbn.com>, Greg Troxel writes:
>"Steven M. Bellovin" <smb@cs.columbia.edu> writes:
>
>> Hmm -- if you're running as non-root, create the metalog; when 
>> installing, use the metalog if it exists.  -U will create the metalog 
>> even if running as root.
>
>I'm not sure, but I think it's critical to avoid a mixed
>metalog/non-metalog.  But perhaps with that situation install will use
>uids/mode from the file if no metalog entry, and from metalog if
>an entry exists, so perhaps that's ok, just icky.
>
My general principle here is to avoid violating the rule of least 
surprise.  The current scheme does cause problems that way; we've seen 
many mailing list messages that boil down to someone forgetting -U 
either on compilation or installation.  That scheme violates another 
rule: the same information has to be specified twice.  From the latter 
point, I conclude that specifying it at compile time -- and thus 
creating the metalog -- is a sufficient signal for the installation 
phase.

However, I take it a step further.  If you compile as non-root, you 
*can't* create a proper tree; you have to have metalog.  In other 
words, building as non-root is itself a signal; in that case, why have 
-U at all?  But that compilation-time decision *must* create the flag 
for installation time.

I don't see how this scheme can result in a mixed metalog/non-metalog 
situation.  If anything, it helps avoid it.


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb