From owner-freebsd-apache@FreeBSD.ORG Sat Jun 7 21:07:12 2014 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 54ABD6B6 for ; Sat, 7 Jun 2014 21:07:12 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DBC422216 for ; Sat, 7 Jun 2014 21:07:11 +0000 (UTC) Received: from [192.168.0.100] ([87.139.233.65]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0M1VlJ-1Wdlmm19i5-00tUqc; Sat, 07 Jun 2014 23:07:09 +0200 Message-ID: <53937F05.2010402@gmx.de> Date: Sat, 07 Jun 2014 23:07:17 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-apache@freebsd.org Subject: Re: Mass cleansing of Apache module POLA violations References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:2HyJjWpVrl80NKo97ddl2R5rwkxbPPSRdxx6K8xnVdf23L5hjha tBxOwnMTdnQlvJZOf5U5PsJxmLKskl8OSHfycg+7EylBVYacbqSYgHUKWkE216gc+Puyceo 9OwxnUzRCON4F/ijI2h2DtyL2fc1TdL5wREBuoYjiRPWd4KFj8h+ZNpQWx1+cQpoNKV9fq9 GC2g8owuMFEIjkYuvT7Fg== X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2014 21:07:12 -0000 On 2014-06-02 19:25, Mark Felder wrote: > Hi all, > > Thanks for maintaining Apache and friends. > > I have a request. With my sysadmin hat on, I find maintaining Apache on FreeBSD to be the most frustrating Apache experience on the planet. Some Apache modules insert LoadModule into your httpd.conf automatically, some insert with it commented out (#LoadModule), and some tell you in pkg-message what you need to do to activate the module. The inconsistency here is embarrassing. > > Can we please stop trying to outsmart the sysadmin? > > - I do *NOT* want every installed Apache module automatically activated on every server. That's bloat and potential security hole. I might not actually need it activated. > - I do *NOT* want pkg automatically manipulating my httpd.conf. It puts entries in the wrong spot, sometimes under custom comment sections where other LoadModules live. > - I do *NOT* want pkg and Apache to outsmart me and break my systems. > - I *do* want kind, helpful instructions in pkg-message or perhaps samples that aren't loaded by default waiting for me in %%ETCDIR%%/modules.d/ > > As of today you can expect the following: > > Upgrade or reinstall mod_perl. Restart Apache. Your Apache is broken. Why, you ask? Because mod_perl installs this: > > #LoadModule perl_module libexec/apache22/mod_perl.so > > And helpfully *DELETES* my uncommented version of the line upon deinstall for upgrade, and re-inserts it commented again! > > There are several other offenders like this; I do not have a complete list. But the point is: this behavior makes it impossible to reliably administer large numbers of servers. Why should I have to deploy updates and then fix my httpd.conf every single time? This is just bizarre behavior. A port or package should never automatically modify a production configuration file. Let the sysadmin handle the insertion or removal of configuration. > > If we can come up with a standardized mechanism I will *gladly* assist in testing and fixing all ... 101 or so Apache modules so we have some sort of consistency here. > On my road-map is the rewrite of bsd.apache.mk (should be used in future only for the www/apache ports) plus an addition for Uses/apache.mk. It is planned that modules place a sample '#LoadModule ...' into etc/apache2(2|4)/modules.d/ (see modules.d/README_modules.d) This way the file can contain instructions how to use the module and once the file is modified (module enable) it will stay until the user wipes it from the system. Since the instructions to include configs from this directory are already in the httpd.conf you already start using it for per default disabled modules. Since lack of time the work is not finished, apache@ is searching new members (only one active member around since a long time, so fresh blood is welcome ;) -- Regards, olli