Mass cleansing of Apache module POLA violations

Sat Jun 7 23:58:59 UTC 2014

On Jun 7, 2014, at 16:07, olli hauer <ohauer at gmx.de> wrote:

> On 2014-06-02 19:25, Mark Felder wrote:
>> Hi all,
>> 
>> Thanks for maintaining Apache and friends.
>> 
>> I have a request. With my sysadmin hat on, I find maintaining Apache on FreeBSD to be the most frustrating Apache experience on the planet. Some Apache modules insert LoadModule into your httpd.conf automatically, some insert with it commented out (#LoadModule), and some tell you in pkg-message what you need to do to activate the module. The inconsistency here is embarrassing.
>> 
>> Can we please stop trying to outsmart the sysadmin?
>> 
>> - I do *NOT* want every installed Apache module automatically activated on every server. That's bloat and potential security hole. I might not actually need it activated.
>> - I do *NOT* want pkg automatically manipulating my httpd.conf. It puts entries in the wrong spot, sometimes under custom comment sections where other LoadModules live.
>> - I do *NOT* want pkg and Apache to outsmart me and break my systems.
>> - I *do* want kind, helpful instructions in pkg-message or perhaps samples that aren't loaded by default waiting for me in %%ETCDIR%%/modules.d/
>> 
>> As of today you can expect the following:
>> 
>> Upgrade or reinstall mod_perl. Restart Apache. Your Apache is broken. Why, you ask? Because mod_perl installs this:
>> 
>> #LoadModule perl_module        libexec/apache22/mod_perl.so
>> 
>> And helpfully *DELETES* my uncommented version of the line upon deinstall for upgrade, and re-inserts it commented again!
>> 
>> There are several other offenders like this; I do not have a complete list. But the point is: this behavior makes it impossible to reliably administer large numbers of servers. Why should I have to deploy updates and then fix my httpd.conf every single time? This is just bizarre behavior. A port or package should never automatically modify a production configuration file. Let the sysadmin handle the insertion or removal of configuration.
>> 
>> If we can come up with a standardized mechanism I will *gladly* assist in testing and fixing all ... 101 or so Apache modules so we have some sort of consistency here.
>> 
> 
> On my road-map is the rewrite of bsd.apache.mk (should be used in future only for the www/apache ports) plus an addition for Uses/apache.mk.
> 
> It is planned that modules place a sample '#LoadModule ...' into etc/apache2(2|4)/modules.d/ (see modules.d/README_modules.d)
> This way the file can contain instructions how to use the module and once the file is modified (module enable) it will stay until the user wipes it from the system.
> Since the instructions to include configs from this directory are already in the httpd.conf you already start using it for per default disabled modules.
> 
> Since lack of time the work is not finished, apache@ is searching new members (only one active member around since a long time, so fresh blood is welcome ;)
> 

This roadmap is perfect; exactly what I was hoping for. I'm not an apache fan personally, but must use it at work regardless. If there is a rewrite in progress somewhere I would be willing to take a look and test or assist as time permits.