Date: Sat, 3 Mar 2007 15:32:03 -0500 From: Kris Kennaway <kris@obsecurity.org> To: Mij <mij@bitchx.it> Cc: cvs-ports@FreeBSD.org, Cheng-Lung Sung <clsung@FreeBSD.org>, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org, Kris Kennaway <kris@obsecurity.org> Subject: Re: cvs commit: ports/security/sshguard Makefile Message-ID: <20070303203203.GA23511@xor.obsecurity.org> In-Reply-To: <1C8A6639-A325-46D6-B8C5-A01868780C78@bitchx.it> References: <200703011006.l21A6EKZ036332@repoman.freebsd.org> <20070302164917.GA28444@xor.obsecurity.org> <44226B29-C2D1-4CF9-A0F9-FC661D5691C5@bitchx.it> <20070302185318.GA30351@xor.obsecurity.org> <1C8A6639-A325-46D6-B8C5-A01868780C78@bitchx.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 03, 2007 at 02:05:19PM +0100, Mij wrote: > >IS_INTERACTIVE should *never* be used when there is a possible > >alternative. >=20 > please include this dogma at some point in > http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/ You mean like in section 4.6? :) > I see three possibilities >=20 > *) defaults > do we have any data showing that PF (or IPFW) covers 95%+ of the users? > or do we have any other reason to say that defaulting to PF (or IPFW) =20 > will work > on all/most setups? > If we don't, no defaults make sense ipfw is historically very commonly used but pf has gained popularity in recent years. > *) variants > while this seems the best approach, new protection mechanisms will =20 > appear > in the future. This would bring a lot pollution of security/sshguard-=20 > * variants > in the long run. E.g., version 1 has two more backends underway. > Moreover, a default could actually happen in the future, one =20 > mechanism that works > on all setups given some other compromise (e.g. hosts.allow). What you call "pollution" others call "ease of use". e.g. your port could be added easily with pkg_add -r. Right now there is no way a user (pf or ipfw) can obtain your package without compiling it. Your objection of proliferation of options doesn't carry much weight: there is no need to add a variant for every possible build configuration, only the popular ones. As with every other customizable port in the collection, users who wish to customize with non-default options can build it themselves. The issue is providing a reasonable default set of packages covering the common situations. > *) autodetection > the port could check itself for what backend to use. E.g. look in /=20 > etc/rc.conf > for pf_* or firewall_* . If none of the possibilities are detected, =20 > however, the > problem falls back to the one of defaults. This won't work on package builds. > In the end, I think this port requires interaction. You are probably the only port maintainer in recent memory who has come to this conclusion when faced with such a choice. I'd invite you to reflect on that and consider how you can come to an accomodation with the rest of us :) Kris --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF6dtCWry0BWjoQKURApdbAJ4oSK/6/oPloNiBd/S71+pnhFO5MACeIWDT xQQ89EeRjEc1un2uAt5lNUc= =Gdpq -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070303203203.GA23511>