Bug 231839 - security/suricata: update to 4.1
Summary: security/suricata: update to 4.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Steve Wills
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-01 05:35 UTC by Franco Fichtner
Modified: 2018-12-10 17:58 UTC (History)
1 user (show)

See Also:

Attachments
RC1 test patch (9.34 KB, patch)
2018-10-01 05:35 UTC, Franco Fichtner 		franco: maintainer-approval-
Details | Diff
RC2 test patch (9.39 KB, patch)
2018-10-28 10:10 UTC, Franco Fichtner 		franco: maintainer-approval-
Details | Diff
final 4.1 update (8.86 KB, patch)
2018-11-13 15:04 UTC, Franco Fichtner 		franco: maintainer-approval+
Details | Diff
PYHTON option, default changes (12.95 KB, patch)
2018-12-10 07:30 UTC, Franco Fichtner 		franco: maintainer-approval+
Details | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Fichtner 2018-10-01 05:35:36 UTC 
Created attachment 197656 [details]
RC1 test patch

This is a *work in progress* for interested parties. It is not ready to be committed.

Recent events in the FreeBSD ports committer community surrounding a previous Suricata submission and just recently a C-ICAP encounter, I feel forced to document this work on the upcoming Suricata version 4.1 so that it's perfectly clear where the contribution originated from.

Individual work excluding testing took place in OPNsense in these commits:

https://github.com/opnsense/ports/commit/e59b0d3c
https://github.com/opnsense/ports/commit/22e295b2
https://github.com/opnsense/ports/commit/44156306

The rework includes a few things:

* Stop using libhtp port over security concerns that make updates risky. libhtp port is not used by any other port other than Suricata.
* Add RUST option for experimental protocol decoders.
* Rules files now install directly into %%DATADIR%%
Comment 1 Franco Fichtner 2018-10-28 10:10:06 UTC 
Created attachment 198715 [details]
RC2 test patch

RC2 update, RUST is no longer experimental, but remains optional for now.
Comment 2 Franco Fichtner 2018-11-13 15:04:19 UTC 
Created attachment 199207 [details]
final 4.1 update

Final patch attached, release notes via:

https://suricata-ids.org/2018/11/06/suricata-4-1-released/

Quarterly branch should receive only the 4.0.6 update (currently at 4.0.5)

RUST option stays off for now, depends on user feedback to be enabled by default on selective architectures in the future.


Thanks,
Franco
Comment 3 Serge 2018-11-20 23:15:47 UTC 
Thanks for great work! I have a little question about 4.1. From your messages in this thread, it looks like 4.1 port has been already released, but I only see 4.0.6 in the ports tree. I have installed suricata 4.1 from the git repo, but I would rather do it in the regular way. Also, after installing 4.1, I do not see suricata-update anywhere on my system.

Thanks again.
Comment 4 Franco Fichtner 2018-12-03 07:25:08 UTC 
4.1 is not yet in FreeBSD ports.

suricata-update is a separate source code repository so it would need a separate port maybe or be included. Not sure what's more practical.
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-12-09 01:31:56 UTC 
A commit references this bug:

Author: swills
Date: Sun Dec  9 01:31:31 UTC 2018
New revision: 487007
URL: https://svnweb.freebsd.org/changeset/ports/487007

Log:
  security/suricata: update to 4.1

  PR:		231839
  Submitted by:	Franco Fichtner <franco@opnsense.org> (maintainer)

Changes:
  head/security/suricata/Makefile
  head/security/suricata/distinfo
  head/security/suricata/pkg-plist
Comment 6 Steve Wills freebsd_committer freebsd_triage 2018-12-09 01:32:59 UTC 
Committed, thanks! Sorry it took so long.
Comment 7 Franco Fichtner 2018-12-09 02:24:32 UTC 
No worries, thanks for committing <3
Comment 8 Antoine Brodin freebsd_committer freebsd_triage 2018-12-09 09:15:25 UTC 
There is a problem with default options:

- PRELUDE on by default,  while it's useless for almost everyone and off by default upstream

- RUST is off by default while it's on by default upstream and it's one of the major new features in 4.1

The plist is wrong when python is turned on by the way.
Comment 9 Steve Wills freebsd_committer freebsd_triage 2018-12-09 18:11:32 UTC 
(In reply to Antoine Brodin from comment #8)
Logs for the python issue would be helpful.
Comment 10 Franco Fichtner 2018-12-09 18:28:44 UTC 
I'll take a closer look tomorrow. I'm not against removing PRELUDE from the defaults. For RUST the choice was deliberate for the time being as it adds a large build dependency for manual port builders. The new option is there to test and provide feedback for eventual inclusion so that it provides a noticeable feature boost compared to the build wait time. :)
Comment 11 Franco Fichtner 2018-12-09 18:29:54 UTC 
PS: I feel reopening this ticket while not being in CC is a bit counter-productive.
Comment 12 Antoine Brodin freebsd_committer freebsd_triage 2018-12-09 20:03:17 UTC 
(In reply to Franco Fichtner from comment #10)
Default options are for the build cluster, invidivual port builders can use custom options.

Failure log with SC option on:

https://pastebin.com/raw/2Eg3fUR1
Comment 13 commit-hook freebsd_committer freebsd_triage 2018-12-09 20:19:34 UTC 
A commit references this bug:

Author: swills
Date: Sun Dec  9 20:18:32 UTC 2018
New revision: 487081
URL: https://svnweb.freebsd.org/changeset/ports/487081

Log:
  security/suricata: Fix plist with SC option on

  PR:		231839
  Reported by:	antoine

Changes:
  head/security/suricata/pkg-plist
Comment 14 Franco Fichtner 2018-12-10 07:08:02 UTC 
Thanks for the quick fix... but now suricata-update has been pulled in without testing and it's missing a dependency. I'll have a fix ready in a bit.
Comment 15 Franco Fichtner 2018-12-10 07:30:24 UTC 
Created attachment 200000 [details]
PYHTON option, default changes

How about this to address all requests?

o Rename SC to PYTHON to reflect the new state of the option (includes suricata-update)
o Remove PRELUDE from defaults (as requested by Antoine)
o Add PYTHON to defaults (as requested by Serge)
o Add RUST to defaults (as requested by Antoine)


Cheers,
Franco
Comment 16 commit-hook freebsd_committer freebsd_triage 2018-12-10 16:05:52 UTC 
A commit references this bug:

Author: swills
Date: Mon Dec 10 16:04:50 UTC 2018
New revision: 487180
URL: https://svnweb.freebsd.org/changeset/ports/487180

Log:
  security/suricata: multiple changes to previous update

  * Rename SC to PYTHON to reflect the new state of the option
  * Remove PRELUDE from defaults
  * Add PYTHON to defaults
  * Add RUST to defaults

  PR:		231839
  Submitted by:	Franco Fichtner <franco@opnsense.org> (maintainer)

Changes:
  head/security/suricata/Makefile
  head/security/suricata/pkg-plist
Comment 17 Franco Fichtner 2018-12-10 17:58:13 UTC 
Thanks again!