cvs commit: ports/security/sshguard Makefile
Mij
mij at bitchx.it
Sat Mar 3 13:05:23 UTC 2007
On 02/mar/07, at 19:53, Kris Kennaway wrote:
> On Fri, Mar 02, 2007 at 07:49:42PM +0100, Mij wrote:
>>
>> On 02/mar/07, at 17:49, Kris Kennaway wrote:
>>
>>> On Thu, Mar 01, 2007 at 10:06:14AM +0000, Cheng-Lung Sung wrote:
>>>> clsung 2007-03-01 10:06:14 UTC
>>>>
>>>> FreeBSD ports repository
>>>>
>>>> Modified files:
>>>> security/sshguard Makefile
>>>> Log:
>>>> - respect maintainer's insist on interactive part,
>>>> even IS_INTERACTIVE is discouraged
>>
>> not glad to see such comment
>>
>>
>>> This is disappointing. Can the maintainer explain why?
>>
>> the app requires the user to choose what firewall to support for
>> building: IPFW or PF.
>> They are in XOR and there is no reasonable default in this.
>>
>> Cheng-Lung chose PF default and removed is_interactive.
>> A feedback request would have avoided this qui pro quo.
>
> IS_INTERACTIVE should *never* be used when there is a possible
> alternative.
please include this dogma at some point in
http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/
> The obvious choice here (if you really cannot decide on
> a default) is to make your port in two variants, one a slave of the
> other, which enable either option.
I see three possibilities
*) defaults
do we have any data showing that PF (or IPFW) covers 95%+ of the users?
or do we have any other reason to say that defaulting to PF (or IPFW)
will work
on all/most setups?
If we don't, no defaults make sense
*) variants
while this seems the best approach, new protection mechanisms will
appear
in the future. This would bring a lot pollution of security/sshguard-
* variants
in the long run. E.g., version 1 has two more backends underway.
Moreover, a default could actually happen in the future, one
mechanism that works
on all setups given some other compromise (e.g. hosts.allow).
*) autodetection
the port could check itself for what backend to use. E.g. look in /
etc/rc.conf
for pf_* or firewall_* . If none of the possibilities are detected,
however, the
problem falls back to the one of defaults.
In the end, I think this port requires interaction.
If some of you has more suggestions, they are welcome.
In the meantime, as we've come to subtle details of the port, I will
stop copying
to cvs-* people for the next messages.
bye
mm
>>> And what is this? :)
>>
>> this used to be ".error blah" for checking the options' XOR-ness,
>> then removed because
>> options are also set when deinstalling/cleaning etc. Definitely
>> useless, replacing with a
>> comment about the problem appears the best to do. Actually I dunno
>> why this made its way
>> in the submission :)
>
> OK, I assume you'll fix this?
>
> Kris
More information about the cvs-ports
mailing list