checks/acct.py hardcodes range for system accounts

[ulm]

By decision of the Gentoo Council today, the range from 0 to 749 is allowed for static allocation. Possibly this will be extended by another range above 60001 in future.

The >= 500 check causes spurious errors, e.g. in gentoo/gentoo#22950.

This should be increased to account for the extended range, or preferably made configurable.

[mgorny]

Configurable how? layout.conf?

[ulm]

Not sure, maybe qa-policy.conf is better?

[mgorny]

Not sure about that. In the end, we aren't using this file at the moment and it's not clear if it will be used in the end.

[mgorny]

I'll just extend the hardcoded range for now and think about putting it somewhere later.

[ulm]

Could you update the error message too? It still says ... outside permitted static allocation range (0..499, 60001+) in class OutsideRangeAccountIdentifier with both ranges being incorrect. It should say just (0..749) I think.

[arthurzam]

@ulm @mgorny Can one of you decide how and where to hold the range?

I think qa-policy.conf was a good suggestion, and if we could select a format? What do you think about:

[glep-81]
uid-range = 1-749,65534
gid-range = 1-749,65533,65534

The format idea is to have comma separated list, of int for single value or int-int for an inclusive on both ends range. It ignore whitespaces in any position.
(I went with glep-81 section name just because I couldn't think of a better name, of course I will agree to any better naming)

[ulm]

I can't say that I like glep-81 as a name. Maybe something more expressive, like user-ids or user-group-ids?

[arthurzam]

No problem :)
Then what about it looking like it?

[user-group-ids]
uid-range = 0-749,65534
gid-range = 0-749,65533,65534

(Also, is this the correct range?)