this patch upgrades security/sshguard to version 1.0b2. Port changes: no longer interactive, use default blocking backend (hosts) and move alternatives to slave ports. Software changes: see http://sourceforge.net/project/shownotes.php?group_id=188282&release_id=507012 Fix: Patch attached with submission follows:
Responsible Changed From-To: freebsd-ports-bugs->miwi I'll take it.
Responsible Changed From-To: miwi->itetcu request on irc :D
please apply this patch with newer version 1.0b3
please apply this patch with newer version 1.0 final
Hi, Please check the script in http://www.freebsd.org/cgi/query-pr.cgi?pr=113453 which make it easier to start/stop the daemon. -- Yen-Ming Lee
On 08/giu/07, at 06:27, Yen-Ming Lee wrote: > Hi, > > Please check the script in http://www.freebsd.org/cgi/query-pr.cgi? > pr=113453 > which make it easier to start/stop the daemon. sshguard can be given log entries to scan in 2 ways: 1) by a logging daemon directly (syslog, syslog-ng) 2) by a persistent process that picks them from the raw file ("standalone" mode) While the second way has become very popular for being covered in a linux.com article on sshguard, it has been provided for OSes without a logging daemon, or whose logger doesn't support piping to external programs (e.g. CentOS). The same article made several other mistakes, see http://sshguard.sourceforge.net/linuxcomarticle.html To sshguard packagers, it has been recommended not to use the standalone approach whenever possible: """ I remind to use the syslog+sshguard or syslog-ng+sshguard whenever possible; avoid the tail+sshguard combo which is just a working hack. """ http://sourceforge.net/mailarchive/forum.php? thread_name=A2E97063-17E2-46C8-8057-D78CE0B1BC84% 40bitchx.it&forum_name=sshguard-maintainers Syslog is the natural way to pass log entries to processes, it is simple, handles rotation autonomously, works in push, restarts procs if they terminate and spares one useless process in the system. For what reasons might a user prefer the tail+sshguard hack instead of syslog+sshguard? If this is a case, the rc scripts becomes useful and we could include it in the port and report both ways in the pkg-message. ideas?
[sorry itetcu, I just copy-and-paste the paragraph from my previous private mail] If you use syslog, you need to edit syslog.conf and restart syslogd every time you install/deinstall it. Also, you have to do so even if you just want to disable it temporarily. If you use /usr/local/etc/rc.d/sshguard, it will be easier to start/stop it, or simply check if it's running. Just my $0.02. Regards, -- Yen-Ming Lee <leeym@leeym.com>
On 08/giu/07, at 13:30, Yen-Ming Lee wrote: > [sorry itetcu, I just copy-and-paste the paragraph from my previous > private mail] > > If you use syslog, you need to edit syslog.conf and restart syslogd > every time you install/deinstall it. This is related to the install/deinstall process, not to the usage. I.e., for resolving this we would better automate the port to handle this during install/ deinstall events instead of making users run tail+sshguard forever. This is easily manageable with pkg-install/deinstall: (I quickly wrote this code in my MUA and did not test it in a shell) pkg-install: case "$2" in "POST-INSTALL") if test -f /etc/syslog.conf -a x`grep sshguard /etc/syslog.conf` = x ; then # append default sshguard entry in syslog.conf echo "auth.info;authpriv.info |exec $PKG_PREFIX/sshguard" >> / etc/syslog.conf fi ;; esac pkg-deinstall: case "$2" in "DEINSTALL") if test -f /etc/syslog.conf -a x`grep sshguard /etc/syslog.conf | grep -vE -- ' -[[:alpha:]]'` != x ; then # remove default sshguard entry from syslog.conf TMPFILE=`mktemp -q /tmp/syslogcXX` grep -v "auth.info;authpriv.info |exec $PKG_PREFIX/sshguard" > $TMPFILE mv $TMPFILE /etc/syslog.conf fi ;; esac > Also, you have to do so even if you just want to disable it > temporarily. If you use > /usr/local/etc/rc.d/sshguard, it will be easier to start/stop it, > or simply check if it's running. > > Just my $0.02. I don't get immediate picture of when this could be wanted, however this costs an epsilon to handle by the process itself http://sourceforge.net/tracker/index.php? func=detail&aid=1733390&group_id=188282&atid=924688 I want not to induce users to use the standalone mode by default (this is what you do typically if you get a starting script) when it has little reasons to exist. I'm not against the rc.d script; if you believe that having the tail combo too is good, welcome to include the script, but let's use OPTIONS (with the standalone way default off) to decide what way to go.
It's alright to me if you handle it by using pkg-install and pkg-deinstall. BTW, it's good to use pkg-message instead of "echo" in Makefile, since the message displayed by "echo" won't be showed if users install it by package. Okay, forget about the start/stop script. Regards, -- Yen-Ming Lee <leeym@leeym.com>
On 08/giu/07, at 15:46, Yen-Ming Lee wrote: > It's alright to me if you handle it by using pkg-install and pkg- > deinstall. > > BTW, it's good to use pkg-message instead of "echo" in Makefile, since > the message displayed by "echo" won't be showed if users install it > by package. this was a typo in the old port, but it's just matter of prepending echos with @ in Makefile. > Okay, forget about the start/stop script. this is the final patch with pkg-install/deinstall then
2007/6/9, Mij <mij@bitchx.it>: > > > On 08/giu/07, at 15:46, Yen-Ming Lee wrote: > > > It's alright to me if you handle it by using pkg-install and pkg- > > deinstall. > > > > BTW, it's good to use pkg-message instead of "echo" in Makefile, since > > the message displayed by "echo" won't be showed if users install it > > by package. > > this was a typo in the old port, but it's just matter of prepending > echos with @ in Makefile. No, it's not only a typo in Makefile. If you use ECHO_MSG, it will only be displayed when installing of a port, but not displayed when installing the package built from that port. In general cases, we use ECHO_MSG to tell the users who build the port or package about OPTIONS or pre-defined knobs, and use pkg-message to tell users who install it about the settings or configuration files. We should use pkg-message (like what you did in the latest patch) in this case. > Okay, forget about the start/stop script. > > this is the final patch with pkg-install/deinstall then > Looks great except a small typo, thanks. "Syslog has been configured too activate sshguard" <-- s/ too / to / -- Yen-Ming Lee <leeym@leeym.com>
On Sat, 9 Jun 2007 01:38:54 +0200 Mij <mij@bitchx.it> wrote: > > Okay, forget about the start/stop script. > > this is the final patch with pkg-install/deinstall then I have only one comment: We do not modify system configuration files / (re)start services without explicit user approval. If you choose to modify syslog.conf, please add the sshguard's line commented out and tell the user what he has to do (de-comment and /etc/rc.d/syslogd reload). You might want to add an user switch (default off) that allows to keep the behaviour in your diff (for portupgrades); the switch idea is better IMO that asking in pkg-install since this asking implies marking the port as IS_INTERACTIVE. On deinstall the current behaviour should be kept (else the logging would be broken). With this and a few typo fixing we're good to go. -- IOnut - Un^d^dregistered ;) FreeBSD "user" "Intellectual Property" is nowhere near as valuable as "Intellect"
On 09/giu/07, at 03:34, Yen-Ming Lee wrote: > > BTW, it's good to use pkg-message instead of "echo" in Makefile, > since > > the message displayed by "echo" won't be showed if users install it > > by package. > > this was a typo in the old port, but it's just matter of prepending > echos with @ in Makefile. > > No, it's not only a typo in Makefile. > > If you use ECHO_MSG, it will only be displayed when installing of a > port, > but not displayed when installing the package built from that port. In > general cases, we use ECHO_MSG to tell the users who build the port or > package about OPTIONS or pre-defined knobs, and use pkg-message to > tell > users who install it about the settings or configuration files. > > We should use pkg-message (like what you did in the latest patch) > in this case. Correct; for some reason what I have read from your phrase was that pkg_message is good because it avoids echoing commands along with their output :) > > Okay, forget about the start/stop script. > > this is the final patch with pkg-install/deinstall then > > Looks great except a small typo, thanks. > > "Syslog has been configured too activate sshguard" <-- s/ too / to / thanks. I will submit a new patch shortly
this patch - makes pkg-install insert commented configuration line - makes pkg-message variable wrt what variant is being installed
itetcu 2007-06-12 20:05:42 UTC FreeBSD ports repository Modified files: security/sshguard Makefile distinfo Added files: security/sshguard pkg-deinstall pkg-install security/sshguard/files pkg-message.in Log: - upgrade to version 1.0 - the port is no longer interactive, it uses the default blocking backend (hosts) - for pf and ipfw see the new ports sshguard-[pf|ipfw] PR: ports/112749 Submitted by: Mij (maintainer) Reviewed by: leeym@ Revision Changes Path 1.3 +29 -19 ports/security/sshguard/Makefile 1.2 +3 -3 ports/security/sshguard/distinfo 1.1 +10 -0 ports/security/sshguard/files/pkg-message.in (new) 1.1 +36 -0 ports/security/sshguard/pkg-deinstall (new) 1.1 +41 -0 ports/security/sshguard/pkg-install (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, with minor changes. Thanks!