From owner-freebsd-apache@FreeBSD.ORG Sat Jun 7 23:58:59 2014 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10278B90 for ; Sat, 7 Jun 2014 23:58:59 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C0F402EC2 for ; Sat, 7 Jun 2014 23:58:58 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 18ca1527; Sat, 7 Jun 2014 18:58:54 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=feld.me; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:sender; s= blargle2; bh=vRbbo/Gqfa0i4+iAxQYhqzC/XZA=; b=TG9hGqVUhLwUoDB8cBt PNEqfxoZFUKGW64lmUrl4JOuC3IleGIU/yBcCux9Gv7UYnzZaZKQuR3FduIM2uDG HZTe2Y2o7itbnfhrM7hBy7VBXXCk6TpNutiphhSurU6TBd6OUQkUTVEWEWvXXrkP A0ZdQJNqR3tDSiyKlIdPGk8OzjQYetJzefGzXISwU4LZl9d2XcRjGiS9456hD8qZ wS5sslKsqu7ZH/16BinJNIcNGW2WJytKaqVV9cUOftzsoJ+RhtkUILDSmDCO0y62 vPzKYphsbfH3k6dy9AJrG+yVVRaBPTRWilEWFL/zTlguoxzo0EimgH7OzEzoCbE9 DHg== DomainKey-Signature: a=rsa-sha1; c=nofws; d=feld.me; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:sender; q= dns; s=blargle2; b=GSoDX23Ncu9OoeWNn8DpwdzdApOI7On//WhVoBswnAfpu 9VoV3c4PcKAEMRVCEN7jrtd9wruLejF6njFO+Hg6fpuzgayuuEtuejTPCh1Zn1BV dOWYlAuaJXOg/2DdDM89BCx+ZKX2YGbOeYe19HGEL/Ae6HFGddl69NjUn409aN72 9DRd/qKuZGkwEv8H45p5knHeMN3ooeWeLFwo+ES9ADlmnEgjEvKYGjbz2oirzWQ4 OigJMjZHQj8iIHxdNGihGIIwkSYnbiO8R3TAfHtu3uQDsBmJ1ocmeQw9Nj1Kd8iE ZJ9hvWQglJ45mEMV2kiZuCgJksvEbycj4tstn45Jw== Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 4246f597; Sat, 7 Jun 2014 18:58:54 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpa id 1402185533-3795-3791/5/21; Sat, 7 Jun 2014 23:58:53 +0000 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 Subject: Re: Mass cleansing of Apache module POLA violations From: Mark Felder In-Reply-To: <53937F05.2010402@gmx.de> Date: Sat, 7 Jun 2014 18:58:51 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <53937F05.2010402@gmx.de> To: olli hauer X-Mailer: Apple Mail (2.1878.2) Sender: feld@feld.me Cc: freebsd-apache@freebsd.org X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2014 23:58:59 -0000 On Jun 7, 2014, at 16:07, olli hauer wrote: > On 2014-06-02 19:25, Mark Felder wrote: >> Hi all, >>=20 >> Thanks for maintaining Apache and friends. >>=20 >> I have a request. With my sysadmin hat on, I find maintaining Apache = on FreeBSD to be the most frustrating Apache experience on the planet. = Some Apache modules insert LoadModule into your httpd.conf automatically,= some insert with it commented out (#LoadModule), and some tell you in = pkg-message what you need to do to activate the module. The inconsistency= here is embarrassing. >>=20 >> Can we please stop trying to outsmart the sysadmin? >>=20 >> - I do *NOT* want every installed Apache module automatically = activated on every server. That's bloat and potential security hole. I = might not actually need it activated. >> - I do *NOT* want pkg automatically manipulating my httpd.conf. It = puts entries in the wrong spot, sometimes under custom comment sections = where other LoadModules live. >> - I do *NOT* want pkg and Apache to outsmart me and break my systems. >> - I *do* want kind, helpful instructions in pkg-message or perhaps = samples that aren't loaded by default waiting for me in %%ETCDIR%%/module= s.d/ >>=20 >> As of today you can expect the following: >>=20 >> Upgrade or reinstall mod_perl. Restart Apache. Your Apache is broken. = Why, you ask? Because mod_perl installs this: >>=20 >> #LoadModule perl_module libexec/apache22/mod_perl.so >>=20 >> And helpfully *DELETES* my uncommented version of the line upon = deinstall for upgrade, and re-inserts it commented again! >>=20 >> There are several other offenders like this; I do not have a complete = list. But the point is: this behavior makes it impossible to reliably = administer large numbers of servers. Why should I have to deploy updates = and then fix my httpd.conf every single time? This is just bizarre = behavior. A port or package should never automatically modify a productio= n configuration file. Let the sysadmin handle the insertion or removal = of configuration. >>=20 >> If we can come up with a standardized mechanism I will *gladly* = assist in testing and fixing all ... 101 or so Apache modules so we have = some sort of consistency here. >>=20 >=20 > On my road-map is the rewrite of bsd.apache.mk (should be used in = future only for the www/apache ports) plus an addition for Uses/apache.mk= . >=20 > It is planned that modules place a sample '#LoadModule ...' into = etc/apache2(2|4)/modules.d/ (see modules.d/README_modules.d) > This way the file can contain instructions how to use the module and = once the file is modified (module enable) it will stay until the user = wipes it from the system. > Since the instructions to include configs from this directory are = already in the httpd.conf you already start using it for per default = disabled modules. >=20 > Since lack of time the work is not finished, apache@ is searching new = members (only one active member around since a long time, so fresh blood = is welcome ;) >=20 This roadmap is perfect; exactly what I was hoping for. I'm not an = apache fan personally, but must use it at work regardless. If there is a = rewrite in progress somewhere I would be willing to take a look and test = or assist as time permits.