From Fedora Project Wiki

Deprecating libuser and removing passwd package from Fedora


Libuser is not actively developed. Most of the depending component have build-time option to work without libuser.


Current status

Detailed Description

The libuser provides library and command line utilities to manipulate user and group information. The purpose of the library is/was to hide the differences between users in LDAP and files in etc (passwd, groups...). The support for LDAP is not complete and there is no plan to extend the functionality.

The LDAP integration in Fedora is nowadays done by SSSD.

In the past, the libuser was used by more component including Fedora installer. Currently the list is short

  • usermode (Requires development, it is not complicated but the dependency is unconditional)
  • util-linux (compile time option)
  • passwd (I suggest to ship passwd utility from shadow-utils instead of passwd and drop passwd package as well)


Benefit to Fedora

The main benefit is to decrease the maintenance and packaging work on library that does not bring much value while the functionality is provided by another components.


  • Proposal owners: Deprecate libuser, remove dependencies from packages listed bellow. From the discussion in Fedora mailing list I see that there are valid cases where libuser is used (puppet for example). Keeping libuser available (but deprecated) will allow people with those requirements to adapt. Removing dependencies now allows us to avoid libuser being installed everywhere. It will also allow us to drop the package easily in one of the next Fedora versions (f41).

  • Other developers:
    • Update usermode code to make libuser dependency configurable.
    • Update usermode packaging to compile it without libuser
    • Change packaging of util-linux to compile without libuser dependency
    • Change packaging of shadow-utils to provide passwd utility

  • Release engineering: [1]

Libuser is part of base image and must be removed. IMO mass rebuild is not required.

  • Policies and guidelines: Since this is about dropping packages release notes must be updated.
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

People who used libuser to manipulate users in LDAP will have to move to SSSD.

How To Test

  1. remove libuser, passwd, install new shadow-utils, usermode and util-linux
  2. try to change password of some user
  3. try to modify user using usermode
  4. expected results: everything works normally

User Experience

Generally this change should not be visible for users. There are still small differences.

Changes in passwd utility

Differences between old and new passwd utility
old passwd options new passwd options Comment
-n, --minimum -n, --mindays Switch names differ, function is the same
-x, --maximum -x, --maxdays Switch names differ, function is the same
-w, --warning -w, --warndays Switch names differ, function is the same
--stdin -s, --stdin This option has been newly implemented in shadow utils passwd
--force This option is not available in the shadow utils passwd


  • usermode (code modification, packaging to drop libuser dependency)
  • shadow-utils (packaging to provide passwd utility
  • util-linux (packaging to drop libuser dependency)
  • passwd (drop package)

Contingency Plan

  • Contingency mechanism: Revert the shipped configuration
  • Contingency deadline: final development freeze
  • Blocks release? No


There is no extra documentation for this change except release notes.

Release Notes