From owner-freebsd-apache@FreeBSD.ORG Mon Jun 2 17:25:23 2014 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 07009430 for ; Mon, 2 Jun 2014 17:25:23 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AFA252F2B for ; Mon, 2 Jun 2014 17:25:22 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 6b1618e7; for ; Mon, 2 Jun 2014 12:25:18 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=feld.me; h=mime-version :content-type:content-transfer-encoding:date:from:to:subject :message-id:sender; s=blargle2; bh=dlc5Ca+Qc51uaTy0LzcCFLuRN/U=; b= Nu6dTux2APdtQa2u/gif7HftwUHjdfHiYNKZZZcll3JMjkEH/irmvFr+viKOawJ7 tz8JHLA/cROrpc29LLIdhid2j1jQUGpMsu/Cssdkj9uRDig+4Mm/3ltkoEs6quVG LB3mB/ZNnk9BmHvNezgkD32aLBPCZv6PdbIbU8Xa4TTI8hdS5c3M8fDJPk4Znf3J PlyCfNTdzelkBvTuKTVGnRRlFzhtgiikLMgR2f9lKPkwOrNnKqeg7vZb1w/tnhc2 jjzq04OobiPaoEgN5cQ6vuuORgNM+zRiPllTw9H4fu4nSxH730wtwwRZMSAXELHp +UCntt4OQQbo+PJsqt1Dtw== DomainKey-Signature: a=rsa-sha1; c=nofws; d=feld.me; h=mime-version :content-type:content-transfer-encoding:date:from:to:subject :message-id:sender; q=dns; s=blargle2; b=N6rp2o/FUWTQ5RKBaX2/lkz R/OuXyOE54mOQZ8LcLXXFtk3aHWXU6bHvbD3xiLhmbq6VNNEud9lszaJxQLa1dbq Mmpd/Fmz40piSkNLwn36N2TWxL6qj+RDgBjzUfYVyiS2bHZGRHkFU5GBlH9ptTKb NR4DV7sCNzujcxAGx2nhK5u/6dMwZ2ZFBqy4v1nSrSep+oyX6sBKHRhVxPGnZq9+ zzbwzVCmBumE+cQoUIV7yRyCvOwaGpT6DwJhUifuT81j5llcL1oneszZp8peAqM1 dL8CBdrL/JA9aNbuwap8d8vR7+AUi7SD9Ip5UBDyZ59u00jVgLUlSDa0UaxKURw= = Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 2f6e4713; for ; Mon, 2 Jun 2014 12:25:18 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpa id 1401729917-323-320/5/25; Mon, 2 Jun 2014 17:25:17 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Content-Transfer-Encoding: quoted-printable Date: Mon, 2 Jun 2014 12:25:17 -0500 From: Mark Felder To: freebsd-apache@freebsd.org Subject: Mass cleansing of Apache module POLA violations Message-Id: X-Sender: feld@FreeBSD.org User-Agent: Roundcube Webmail/1.0.1 Sender: feld@feld.me X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2014 17:25:23 -0000 Hi all, Thanks for maintaining Apache and friends. I have a request. With my sysadmin hat on, I find maintaining Apache on=20 FreeBSD to be the most frustrating Apache experience on the planet. Some=20 Apache modules insert LoadModule into your httpd.conf automatically,=20 some insert with it commented out (#LoadModule), and some tell you in=20 pkg-message what you need to do to activate the module. The=20 inconsistency here is embarrassing. Can we please stop trying to outsmart the sysadmin? - I do *NOT* want every installed Apache module automatically activated=20 on every server. That's bloat and potential security hole. I might not=20 actually need it activated. - I do *NOT* want pkg automatically manipulating my httpd.conf. It puts=20 entries in the wrong spot, sometimes under custom comment sections where=20 other LoadModules live. - I do *NOT* want pkg and Apache to outsmart me and break my systems. - I *do* want kind, helpful instructions in pkg-message or perhaps=20 samples that aren't loaded by default waiting for me in=20 %%ETCDIR%%/modules.d/ As of today you can expect the following: Upgrade or reinstall mod_perl. Restart Apache. Your Apache is broken.=20 Why, you ask? Because mod_perl installs this: #LoadModule perl_module libexec/apache22/mod_perl.so And helpfully *DELETES* my uncommented version of the line upon=20 deinstall for upgrade, and re-inserts it commented again! There are several other offenders like this; I do not have a complete=20 list. But the point is: this behavior makes it impossible to reliably=20 administer large numbers of servers. Why should I have to deploy updates=20 and then fix my httpd.conf every single time? This is just bizarre=20 behavior. A port or package should never automatically modify a=20 production configuration file. Let the sysadmin handle the insertion or=20 removal of configuration. If we can come up with a standardized mechanism I will *gladly* assist=20 in testing and fixing all ... 101 or so Apache modules so we have some=20 sort of consistency here. Thank you for your time.