Bug 112749 - [maintainer update] update security/sshguard
Summary: [maintainer update] update security/sshguard
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Ion-Mihai "IOnut" Tetcu
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-18 01:50 UTC by mij@sshguard.net
Modified: 2007-06-12 21:21 UTC (History)
0 users

See Also:


Attachments
file.diff (2.88 KB, patch)
2007-05-18 01:50 UTC, mij@sshguard.net
no flags Details | Diff
sshg.patch (2.88 KB, patch)
2007-05-24 00:21 UTC, mij@sshguard.net
no flags Details | Diff
sshguard10.diff (2.86 KB, patch)
2007-06-05 17:01 UTC, mij@sshguard.net
no flags Details | Diff
sshguard10.diff (5.71 KB, patch)
2007-06-09 00:38 UTC, mij@sshguard.net
no flags Details | Diff
sshguard10.diff (6.34 KB, patch)
2007-06-09 12:18 UTC, mij@sshguard.net
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description mij@sshguard.net 2007-05-18 01:50:02 UTC
this patch upgrades security/sshguard to version 1.0b2.

Port changes: no longer interactive, use default blocking backend (hosts)
and move alternatives to slave ports.

Software changes: see
http://sourceforge.net/project/shownotes.php?group_id=188282&release_id=507012

Fix: Patch attached with submission follows:
Comment 1 Martin Wilke freebsd_committer freebsd_triage 2007-05-18 09:13:36 UTC
Responsible Changed
From-To: freebsd-ports-bugs->miwi

I'll take it.
Comment 2 Martin Wilke freebsd_committer freebsd_triage 2007-05-18 10:03:41 UTC
Responsible Changed
From-To: miwi->itetcu

request on irc :D
Comment 3 mij@sshguard.net 2007-05-24 00:21:11 UTC
please apply this patch with newer version 1.0b3

Comment 4 mij@sshguard.net 2007-06-05 17:01:06 UTC
please apply this patch with newer version 1.0 final

Comment 5 Yen-Ming Lee freebsd_committer freebsd_triage 2007-06-08 05:27:25 UTC
Hi,

Please check the script in http://www.freebsd.org/cgi/query-pr.cgi?pr=113453
which make it easier to start/stop the daemon.

-- 
Yen-Ming Lee
Comment 6 mij@sshguard.net 2007-06-08 10:54:01 UTC
On 08/giu/07, at 06:27, Yen-Ming Lee wrote:

> Hi,
>
> Please check the script in http://www.freebsd.org/cgi/query-pr.cgi? 
> pr=113453
> which make it easier to start/stop the daemon.

sshguard can be given log entries to scan in 2 ways:
1) by a logging daemon directly (syslog, syslog-ng)
2) by a persistent process that picks them from the raw file  
("standalone" mode)

While the second way has become very popular for being covered in a  
linux.com
article on sshguard, it has been provided for OSes without a logging  
daemon, or
whose logger doesn't support piping to external programs (e.g. CentOS).
The same article made several other mistakes, see
http://sshguard.sourceforge.net/linuxcomarticle.html

To sshguard packagers, it has been recommended not to use the standalone
approach whenever possible:

"""
I remind to use the syslog+sshguard or syslog-ng+sshguard whenever
possible; avoid the tail+sshguard combo which is just a working hack.
"""

http://sourceforge.net/mailarchive/forum.php? 
thread_name=A2E97063-17E2-46C8-8057-D78CE0B1BC84% 
40bitchx.it&forum_name=sshguard-maintainers

Syslog is the natural way to pass log entries to processes, it is  
simple, handles rotation
autonomously, works in push, restarts procs if they terminate and  
spares one useless process
in the system.
For what reasons might a user prefer the tail+sshguard hack instead  
of syslog+sshguard? If this is
a case, the rc scripts becomes useful and we could include it in the  
port and report both ways
in the pkg-message.

ideas?
Comment 7 Yen-Ming Lee 2007-06-08 12:30:32 UTC
[sorry itetcu, I just copy-and-paste the paragraph from my previous private
mail]

If you use syslog, you need to edit syslog.conf and restart syslogd
every time you install/deinstall it. Also, you have to do so even if you
just
want to disable it temporarily. If you use /usr/local/etc/rc.d/sshguard,
it will be easier to start/stop it, or simply check if it's running.

Just my $0.02.

Regards,
-- 
Yen-Ming Lee <leeym@leeym.com>
Comment 8 mij@sshguard.net 2007-06-08 13:52:29 UTC
On 08/giu/07, at 13:30, Yen-Ming Lee wrote:

> [sorry itetcu, I just copy-and-paste the paragraph from my previous  
> private mail]
>
> If you use syslog, you need to edit syslog.conf and restart syslogd
> every time you install/deinstall it.

This is related to the install/deinstall process, not to the usage.  
I.e., for resolving this
we would better automate the port to handle this during install/ 
deinstall events instead
of making users run tail+sshguard forever.

This is easily manageable with pkg-install/deinstall:
(I quickly wrote this code in my MUA and did not test it in a shell)

pkg-install:
case "$2" in
	"POST-INSTALL")
		if test -f /etc/syslog.conf -a x`grep sshguard /etc/syslog.conf` =  
x ; then
			# append default sshguard entry in syslog.conf
			echo "auth.info;authpriv.info     |exec $PKG_PREFIX/sshguard" >> / 
etc/syslog.conf
		fi
	;;
esac

pkg-deinstall:
case "$2" in
	"DEINSTALL")
		if test -f /etc/syslog.conf -a x`grep sshguard /etc/syslog.conf |  
grep -vE -- ' -[[:alpha:]]'` != x ; then
			# remove default sshguard entry from syslog.conf
			TMPFILE=`mktemp -q /tmp/syslogcXX`
			grep -v "auth.info;authpriv.info     |exec $PKG_PREFIX/sshguard" >  
$TMPFILE
			mv $TMPFILE /etc/syslog.conf
		fi
	;;
esac


> Also, you have to do so even if you just want to disable it  
> temporarily. If you use
> /usr/local/etc/rc.d/sshguard, it will be easier to start/stop it,  
> or simply check if it's running.
>
> Just my $0.02.

I don't get immediate picture of when this could be wanted, however  
this costs an epsilon
to handle by the process itself
http://sourceforge.net/tracker/index.php? 
func=detail&aid=1733390&group_id=188282&atid=924688


I want not to induce users to use the standalone mode by default  
(this is what
you do typically if you get a starting script) when it has little  
reasons to exist.
I'm not against the rc.d script; if you believe that having the tail  
combo too is good,
welcome to include the script, but let's use OPTIONS (with the  
standalone way default off)
to decide what way to go.
Comment 9 Yen-Ming Lee 2007-06-08 14:46:22 UTC
It's alright to me if you handle it by using pkg-install and pkg-deinstall.

BTW, it's good to use pkg-message instead of "echo" in Makefile, since
the message displayed by "echo" won't be showed if users install it by
package.

Okay, forget about the start/stop script.

Regards,
-- 
Yen-Ming Lee <leeym@leeym.com>
Comment 10 mij@sshguard.net 2007-06-09 00:38:54 UTC
On 08/giu/07, at 15:46, Yen-Ming Lee wrote:

> It's alright to me if you handle it by using pkg-install and pkg- 
> deinstall.
>
> BTW, it's good to use pkg-message instead of "echo" in Makefile, since
> the message displayed by "echo" won't be showed if users install it  
> by package.

this was a typo in the old port, but it's just matter of prepending  
echos with @ in Makefile.


> Okay, forget about the start/stop script.

this is the final patch with pkg-install/deinstall then
Comment 11 Yen-Ming Lee 2007-06-09 02:34:54 UTC
2007/6/9, Mij <mij@bitchx.it>:
>
>
> On 08/giu/07, at 15:46, Yen-Ming Lee wrote:
>
> > It's alright to me if you handle it by using pkg-install and pkg-
> > deinstall.
> >
> > BTW, it's good to use pkg-message instead of "echo" in Makefile, since
> > the message displayed by "echo" won't be showed if users install it
> > by package.
>
> this was a typo in the old port, but it's just matter of prepending
> echos with @ in Makefile.


No, it's not only a typo in Makefile.

If you use ECHO_MSG, it will only be displayed when installing of a port,
but not displayed when installing the package built from that port. In
general cases, we use ECHO_MSG to tell the users who build the port or
package about OPTIONS or pre-defined knobs, and use pkg-message to tell
users who install it about the settings or configuration files.

We should use pkg-message (like what you did in the latest patch) in this
case.

> Okay, forget about the start/stop script.
>
> this is the final patch with pkg-install/deinstall then
>

Looks great except a small typo, thanks.

"Syslog has been configured too activate sshguard" <-- s/ too / to /

-- 
Yen-Ming Lee <leeym@leeym.com>
Comment 12 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2007-06-09 07:28:03 UTC
On Sat, 9 Jun 2007 01:38:54 +0200
Mij <mij@bitchx.it> wrote:

> > Okay, forget about the start/stop script.  
> 
> this is the final patch with pkg-install/deinstall then


I have only one comment:
We do not modify system configuration files / (re)start services without
explicit user approval.

If you choose to modify syslog.conf, please add the sshguard's line
commented out and tell the user what he has to do (de-comment
and /etc/rc.d/syslogd reload). You might want to add an user switch
(default off) that allows to keep the behaviour in your diff (for
portupgrades); the switch idea is better IMO that asking in pkg-install
since this asking implies marking the port as IS_INTERACTIVE.

On deinstall the current behaviour should be kept (else the logging
would be broken).

With this and a few typo fixing we're good to go.



-- 
IOnut - Un^d^dregistered ;) FreeBSD "user"
  "Intellectual Property" is   nowhere near as valuable   as "Intellect"
Comment 13 mij@sshguard.net 2007-06-09 09:49:49 UTC
On 09/giu/07, at 03:34, Yen-Ming Lee wrote:

> > BTW, it's good to use pkg-message instead of "echo" in Makefile,  
> since
> > the message displayed by "echo" won't be showed if users install it
> > by package.
>
> this was a typo in the old port, but it's just matter of prepending
> echos with @ in Makefile.
>
> No, it's not only a typo in Makefile.
>
> If you use ECHO_MSG, it will only be displayed when installing of a  
> port,
> but not displayed when installing the package built from that port. In
> general cases, we use ECHO_MSG to tell the users who build the port or
> package about OPTIONS or pre-defined knobs, and use pkg-message to  
> tell
> users who install it about the settings or configuration files.
>
> We should use pkg-message (like what you did in the latest patch)  
> in this case.

Correct; for some reason what I have read from your phrase was that  
pkg_message
is good because it avoids echoing commands along with their output :)


> > Okay, forget about the start/stop script.
>
> this is the final patch with pkg-install/deinstall then
>
> Looks great except a small typo, thanks.
>
> "Syslog has been configured too activate sshguard" <-- s/ too / to /

thanks. I will submit a new patch shortly
Comment 14 mij@sshguard.net 2007-06-09 12:18:47 UTC
this patch
- makes pkg-install insert commented configuration line
- makes pkg-message variable wrt what variant is being installed
Comment 15 dfilter service freebsd_committer freebsd_triage 2007-06-12 21:05:49 UTC
itetcu      2007-06-12 20:05:42 UTC

  FreeBSD ports repository

  Modified files:
    security/sshguard    Makefile distinfo 
  Added files:
    security/sshguard    pkg-deinstall pkg-install 
    security/sshguard/files pkg-message.in 
  Log:
  - upgrade to version 1.0
  - the port is no longer interactive, it uses the default blocking backend (hosts)
  - for pf and ipfw see the new ports sshguard-[pf|ipfw]
  
  PR:             ports/112749
  Submitted by:   Mij (maintainer)
  Reviewed by:    leeym@
  
  Revision  Changes    Path
  1.3       +29 -19    ports/security/sshguard/Makefile
  1.2       +3 -3      ports/security/sshguard/distinfo
  1.1       +10 -0     ports/security/sshguard/files/pkg-message.in (new)
  1.1       +36 -0     ports/security/sshguard/pkg-deinstall (new)
  1.1       +41 -0     ports/security/sshguard/pkg-install (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 16 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2007-06-12 21:21:31 UTC
State Changed
From-To: open->closed

Committed, with minor changes. Thanks!