When you remove a acct-group package (be it a dependency or a manually installed_ from your system, the group is still available in your system (seen in how they are still visible in the etc/group and /etc/gshadow files) Shouldn't portage run "groupdel" when uninstalling said groups? Or is this behavior intended?
That's intended behavior. It is not safe to remove the users/groups without first cleaning up any files leftover on the filesystem. Removing the user/group allows the id to be re-used by some new user/group, and they would end up having access to files they shouldn't.
What Mike said. The ebuilds can't guarantee it's safe to remove users/groups, so we merely lock the users. Even if we literally traversed the file system for ownership, that: 1) would make removals super slow, 2) would be vulnerable to races, 3) wouldn't guarantee that the user/group doesn't own files on non-mounted fileystem, 4) wouldn't guarantee that the user/group isn't used in some configs. I'm afraid there's nothing we can do about it. Someone could write a tool to perform automated scan & cleanup of "removed" users and groups but that requires time that none of the us probably has at the moment.
I see. I couldn't have imagined the security risks and technical challenges it implies. Thank you for the quick response and all your work! It is really appreciated. I'll mark this as resolved Have a good day
