From owner-freebsd-ports@FreeBSD.ORG Sat Aug 20 18:18:46 2011 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECD51106564A for ; Sat, 20 Aug 2011 18:18:45 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx1.freebsd.org (Postfix) with ESMTP id B4AA38FC13 for ; Sat, 20 Aug 2011 18:18:45 +0000 (UTC) Received: by iye7 with SMTP id 7so14317941iye.17 for ; Sat, 20 Aug 2011 11:18:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=0WfqY26ulyquUEt7sgBDsFayPSqRgAOpV3qsa7CHvug=; b=HRPVpJZXiIuwGvpQNZLKuWIY4apCEAT//Nrzy0QMk/M20l+NAPg81an2mpkzrPft6x 4YXxm/k/9fX5rV887d9RPAl02zVH4mFU9F4h1wXPq/c0TMwDd53ddF1LMJXRK7hSaa8c 42ARBp/NxlbqD0dhC34DcUoMX7AcBbA3OjBoM= Received: by 10.42.79.206 with SMTP id s14mr798149ick.348.1313864325086; Sat, 20 Aug 2011 11:18:45 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.231.182.77 with HTTP; Sat, 20 Aug 2011 11:18:15 -0700 (PDT) In-Reply-To: <91b826baee57a450a519fee1c7032a5c.squirrel@mail.experts-exchange.com> References: <4E4F95FD.907@FreeBSD.org> <20110820115203.GH17489@deviant.kiev.zoral.com.ua> <4E4FA589.7070303@FreeBSD.org> <20110820124443.GJ17489@deviant.kiev.zoral.com.ua> <4E4FBA13.4050009@FreeBSD.org> <91b826baee57a450a519fee1c7032a5c.squirrel@mail.experts-exchange.com> From: Chris Rees Date: Sat, 20 Aug 2011 19:18:15 +0100 X-Google-Sender-Auth: lkmHZg_yXD4nnfMU8gYRIlT7dbU Message-ID: To: Jason Helfman Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Kostik Belousov , Glen Barber , ports@freebsd.org Subject: Re: [Request for Comments] Adding a JAILED meta-variable to bsd.port.mk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2011 18:18:46 -0000 On 20 August 2011 18:46, Jason Helfman wrote: >> On 8/20/11 8:44 AM, Kostik Belousov wrote: >>>> One thing I can think of off-hand to fix this in that case is setting = a >>>> local environment variable to disable a check for security.jail.jailed= . >>>> =A0Would this be an ok solution for those cases? =A0If not, I happily = agree >>>> that this change should not be made then. >>>> >>>> I have an updated patch to bsd.port.mk that looks for a local >>>> environment variable, PKGJAIL - if it is set, then JAILED is unset. >>>> Would this be acceptable? >>> The change would require user to do a configuration for a thing that >>> previously just worked. What is the point ? >>> >> >> I suppose the specific problem I am trying to solve is a case where a >> user builds a port within a jail with the expectation that the port will >> in fact run within the jail with little or no changes. =A0Perhaps >> security/sshguard-pf and databases/postgresql*-server are not the most >> ideal examples of where this would be relevant. >> >> I agree that a configuration change for something that worked before is >> not the best solution. =A0So, I retract this change proposal. >> >> Again, thank you for the feedback and pointing out that this would have >> had negative impact on those using jails for package building. >> >> Regards, >> >> Glen >> > I, myself, have not installed or built enough packages in jails to find > this issue, however I am using tinderbox for maintaining my ports, > submitting ports, or patches, as well as maintaining a local ports tree. > > In doing this, and maintaining our operational environment, I am finding > may conditions where you may want to do one thing or another, and the > possibilities I have found can be endless, so it could be argued to not > introduce global functionality for the X number of ports/packages that > need it, however to code the port to be aware of these conditions in the > packaging scripts. > > For example, you could test for values of sysctl, or another condition. > Based on the result, perform X action. Although, I haven't done this > specifically for a jail, I don't see why the same practice couldn't be > exercised. > > These, I believe, can all be take taken advantage of in subsequent pkg-* > files. > Hm, not a fan of getting output of sysctl for many ports -- that'd take forever in INDEX generation for example. Perhaps we could just introduce a JAILED variable and leave it at that? Chris