Date: Mon, 2 Jun 2014 12:25:17 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-apache@freebsd.org Subject: Mass cleansing of Apache module POLA violations Message-ID: <cc98dc4842b81154e98740ffb43d60bc@mail.feld.me>
next in thread | raw e-mail | index | archive | help
Hi all, Thanks for maintaining Apache and friends. I have a request. With my sysadmin hat on, I find maintaining Apache on=20 FreeBSD to be the most frustrating Apache experience on the planet. Some=20 Apache modules insert LoadModule into your httpd.conf automatically,=20 some insert with it commented out (#LoadModule), and some tell you in=20 pkg-message what you need to do to activate the module. The=20 inconsistency here is embarrassing. Can we please stop trying to outsmart the sysadmin? - I do *NOT* want every installed Apache module automatically activated=20 on every server. That's bloat and potential security hole. I might not=20 actually need it activated. - I do *NOT* want pkg automatically manipulating my httpd.conf. It puts=20 entries in the wrong spot, sometimes under custom comment sections where=20 other LoadModules live. - I do *NOT* want pkg and Apache to outsmart me and break my systems. - I *do* want kind, helpful instructions in pkg-message or perhaps=20 samples that aren't loaded by default waiting for me in=20 %%ETCDIR%%/modules.d/ As of today you can expect the following: Upgrade or reinstall mod_perl. Restart Apache. Your Apache is broken.=20 Why, you ask? Because mod_perl installs this: #LoadModule perl_module libexec/apache22/mod_perl.so And helpfully *DELETES* my uncommented version of the line upon=20 deinstall for upgrade, and re-inserts it commented again! There are several other offenders like this; I do not have a complete=20 list. But the point is: this behavior makes it impossible to reliably=20 administer large numbers of servers. Why should I have to deploy updates=20 and then fix my httpd.conf every single time? This is just bizarre=20 behavior. A port or package should never automatically modify a=20 production configuration file. Let the sysadmin handle the insertion or=20 removal of configuration. If we can come up with a standardized mechanism I will *gladly* assist=20 in testing and fixing all ... 101 or so Apache modules so we have some=20 sort of consistency here. Thank you for your time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cc98dc4842b81154e98740ffb43d60bc>