From owner-svn-src-all@freebsd.org  Mon Feb 24 19:30:09 2020
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3943C240B9E;
 Mon, 24 Feb 2020 19:30:09 +0000 (UTC)
 (envelope-from steffen@sdaoden.eu)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48RBwb01yfz4Jx8;
 Mon, 24 Feb 2020 19:30:06 +0000 (UTC)
 (envelope-from steffen@sdaoden.eu)
Received: by sdaoden.eu (Postfix, from userid 1000)
 id 335D016054; Mon, 24 Feb 2020 20:29:58 +0100 (CET)
Date: Mon, 24 Feb 2020 20:29:57 +0100
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: Pedro Giffuni <pfg@FreeBSD.org>
Cc: Florian Smeets <flo@smeets.xyz>, src-committers@freebsd.org,
 svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject: Re: svn commit: r358153 - head/usr.sbin/services_mkdb
Message-ID: <20200224192957.03g0-%steffen@sdaoden.eu>
In-Reply-To: <c982d42c-e6dd-1b20-44ca-87c8d3e4f802@FreeBSD.org>
References: <202002200354.01K3s8ib077553@repo.freebsd.org>
 <03606e17-08fc-f575-95f5-c3c5128bff4f@smeets.xyz>
 <ed430f6a-e612-5fdb-2d70-058da5c04b09@FreeBSD.org>
 <20200223010937.fTLhW%steffen@sdaoden.eu>
 <c982d42c-e6dd-1b20-44ca-87c8d3e4f802@FreeBSD.org>
Mail-Followup-To: Pedro Giffuni <pfg@FreeBSD.org>,
 Florian Smeets <flo@smeets.xyz>, src-committers@freebsd.org,
 svn-src-all@freebsd.org, svn-src-head@freebsd.org
User-Agent: s-nail v14.9.17-52-g56288e6a
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD;
 url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in
 the world can make no bugs.
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 48RBwb01yfz4Jx8
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of steffen@sdaoden.eu designates
 217.144.132.164 as permitted sender) smtp.mailfrom=steffen@sdaoden.eu
X-Spamd-Result: default: False [-0.07 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.56)[-0.563,0]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a];
 NEURAL_HAM_LONG(-0.51)[-0.514,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[sdaoden.eu]; RCPT_COUNT_FIVE(0.00)[5];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_CONTAINS_FROM(1.00)[];
 RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:15987, ipnet:217.144.132.0/24, country:DE];
 IP_SCORE(0.31)[asn: 15987(1.56), country: DE(-0.02)]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 19:30:09 -0000

Hello.

Pedro Giffuni wrote in
<c982d42c-e6dd-1b20-44ca-87c8d3e4f802@FreeBSD.org>:
 |On 22/02/2020 20:09, Steffen Nurpmeso wrote:
 |> Hey, just so, because i posted to such a thing the last time.
 |>
 |> Pedro Giffuni wrote in
 |> <ed430f6a-e612-5fdb-2d70-058da5c04b09@FreeBSD.org>:
 |>|On 22/02/2020 11:18, Florian Smeets wrote:
 |>|> On 20.02.20 04:54, Pedro F. Giffuni wrote:
 |>|>> Author: pfg
 |>|>> Date: Thu Feb 20 03:54:07 2020
 |>|>> New Revision: 358153
 |>|>> URL: https://svnweb.freebsd.org/changeset/base/358153
 |>|>>
 |>|>> Log:
 |>|>>    /etc/services: attempt bring the database to this century.
 |>|>>
 |>|>> -smtps             465/tcp    #smtp protocol over TLS/SSL (was ssmtp)
 |>|>> -smtps             465/udp    #smtp protocol over TLS/SSL (was ssmtp)
 |>|> I'm not sure how removals of services have been handled in the past.
 |>|> This change broke loading of my pf rule set, as I had smtps in there.
 |>|
 |>|Excellent!
 |>|
 |>|Not that the change broke something but that since we had to revert it
 |>|we get a second chance to review such things.
 |>|
 |>|> I'm not saying that this change is wrong, but I think removing entries
 |>|> from services can break all kinds of stuff. Not just firewall rule \
 |>|> sets,
 |>|> also scripts and thinking more about it, it will most certainly also
 |>|> break postfix as it also uses smtps as an alias for port 465 in its
 |>|> master.cnf
 |>|
 |>|According to latest IANA registy:
 |>   ...
 |>
 |>    kpasswd           464/udp   # kpasswd (Theodore Ts o)
 |>    urd               465/tcp   # URL Rendezvous Directory for SSM \
 |>    (Toerless Eckert)
 |>    submissions       465/tcp   # Message Submission over TLS protocol \
 |>    (IESG, IETF Chair, rfc8314) [2017-12-12]
 |>    igmpv3lite        465/udp   # IGMP over UDP for SSM (Toerless Eckert)
 |>    digital-vrc       466/tcp   # digital-vrc (Peter Higginson)
 |>
 |> Oh yes, they finally managed to overcome the SMTPS problems.
 |> The RFC has a nice reading on that (as i seem to remember), yay IETF.
 |> I am really happy.  (I never understood why POP3S and IMAPS where
 |> done but SMTPS was not.)

 |Hmm .. I quoted the IANA list but I hadn't read the RFC. Interesting but=
=20
 |I don't know if it solves Florian's issue.

It surely will not if he uses smtps not submissions strings.

  ..
 |>|For the time being, we can absolutely keep the legacy value with a
 |>|conflict note. I wish the services list were a bit easier to maintain
 |>|for such situations.
 |>
 |> Doesn't it just search until it finds the string?
 |> Btw. i can only offer the simple awk script that i have for
 |> updating services and protocols again, after the critics last time
 |> i have evolved it from its ArchLinux base, and added a verbose
 |> mode, as you can see above.  (That Theodore Ts'o missspelling is
 |> IANA rooted.)  Whereas it made it more complicated, 139 lines for
 |> download and preparation is not that much.
 |
 |Interesting. There's also
 |
 |https://reviews.freebsd.org/D17115
 |
 |Where I made some comments.
 |
 |Currently services_mkdb doesn't scale (which is why the patch was=20
 |reverted), but beyond that the real problem is that we shouldn't just=20
 |take the entries blindly. Many people abuse the registry for their=20
 |startups and licensing services and then never de-register them.=A0 In th=
e=20
 |case of NetBSD's services file, it currently has 21838 lines, which is=20
 |bigger that the official IANA file.

Hm.  I track it for some time, and have not found this to be
a problem for my average use case.  And if it changes, then
because the IANA registry has actually changed, because of
requests of those who are responsible for a protocol.  (The entire
unified diff to last year's version including timestamp etc. is
335 lines here, or about three percent of the 11423 lines the file
has and 11395 last year's file had.  Many renames this year.
Likely in the groove and would be more nice if named xy.)

In fact many programs bake their use cases in due to all the mess
(MongoDB service is new this year), on CRUX-Linux, which uses
git(1), for example, /etc/services did not have the git service
until first the FreeBSD file became imported, and then last year
the small awk script.  Worked for years without problems.

I mean, for the cacert repository i have for almost a decade, and
which only generates a single file, but nonetheless, i have a local
additions and removals mechanism.  All plain text, and works with
Unix text tools.  Why FreeBSD needs XML and python and something
out-of-tree, or anything more complicated as

   < ./local.rc sed -E -e '/^#/d' -e '/^[[:space:]]*$/d' |
      while { read file; read url; read finger; }; do
         if [ "${url}" =3D - ]; then
            echo 'local.rc: removing: '"${file}"
            sed -i -e '/^'"${finger}"'/,/^-----END CERTIFICATE/d' "${1}" ||
               panic "cannot edit ${1} via sed(1) for ${url}"
         else
            [ -f "${file}.local" ] || continue
            echo 'local.rc: adding: '"${file}"
            {
               echo "# ${file}.local"
               cat "${file}.local"
            } >> "${1}" || panic "cannot add ${file}.local cert to ${1}"
         fi
      done

is hard to understand for likely more-than-one FreeBSD users.
I would find it more reasonable to include the IANA text file and
have a generic FreeBSD, and an optional local per-site adjustment
list, with simple text.  Like rc.conf mechanism.  In this scenario
Florian could simply add 'smtps 465/tcp' there now, and would not
need to care any further.  If a nice rc script checks timestampts
then the DB does not even need to be recreated unless strictly
necessary.

Why something with ~11000 entries that is indexed with short
strings or integers does not scale, i do not really understand.

 |> Additions could simply be echoed?
 |
 |I expect we maintain a relatively short list and have people send PRs=20
 |for new entries (assuming they are registered).
 |
 |BTW, we should probably go ahead and register our lockd in IANA as the=20
 |port number already collides with something else and our use is=20
 |propagating to other OSs (namely illumos).

I meant when creating the final /etc/services file.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)