cvs commit: ports/security/sshguard Makefile

Kris Kennaway kris at obsecurity.org
Sat Mar 3 20:32:05 UTC 2007 

On Sat, Mar 03, 2007 at 02:05:19PM +0100, Mij wrote:

> >IS_INTERACTIVE should *never* be used when there is a possible
> >alternative.
> 
> please include this dogma at some point in
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/

You mean like in section 4.6? :)

> I see three possibilities
> 
> *) defaults
> do we have any data showing that PF (or IPFW) covers 95%+ of the users?
> or do we have any other reason to say that defaulting to PF (or IPFW)  
> will work
> on all/most setups?
> If we don't, no defaults make sense

ipfw is historically very commonly used but pf has gained popularity
in recent years.

> *) variants
> while this seems the best approach, new protection mechanisms will  
> appear
> in the future. This would bring a lot pollution of security/sshguard- 
> * variants
> in the long run. E.g., version 1 has two more backends underway.
> Moreover, a default could actually happen in the future, one  
> mechanism that works
> on all setups given some other compromise (e.g. hosts.allow).

What you call "pollution" others call "ease of use".  e.g. your port
could be added easily with pkg_add -r.  Right now there is no way a
user (pf or ipfw) can obtain your package without compiling it.

Your objection of proliferation of options doesn't carry much weight:
there is no need to add a variant for every possible build
configuration, only the popular ones.  As with every other
customizable port in the collection, users who wish to customize with
non-default options can build it themselves.  The issue is providing a
reasonable default set of packages covering the common situations.

> *) autodetection
> the port could check itself for what backend to use. E.g. look in / 
> etc/rc.conf
> for pf_* or firewall_* . If none of the possibilities are detected,  
> however, the
> problem falls back to the one of defaults.

This won't work on package builds.

> In the end, I think this port requires interaction.

You are probably the only port maintainer in recent memory who has
come to this conclusion when faced with such a choice.  I'd invite you
to reflect on that and consider how you can come to an accomodation
with the rest of us :)

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20070303/772cce86/attachment.pgp

More information about the cvs-all mailing list