Date: Sun, 6 Dec 2015 22:08:44 +1100 From: Dewayne Geraghty <dewaynegeraghty@gmail.com> To: Pavel Timofeev <timp87@gmail.com> Cc: ports-list freebsd <freebsd-ports@freebsd.org> Subject: Re: squid default options Message-ID: <CAGnMC6p8ihb35S09NeSAFw=boRXqVSXp19OLb9=y89wzgSF6LA@mail.gmail.com> In-Reply-To: <CAAoTqftSvFDp7oBUj2GY0E6aSb2Fb-F81-h=zEeOHNLkwGc8wA@mail.gmail.com> References: <CAAoTqftSvFDp7oBUj2GY0E6aSb2Fb-F81-h=zEeOHNLkwGc8wA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Pavel,
Thank-you for providing the opportunity to provide feedback.
I think that there could be a reasonable argument for:
1) Turning on all options to ensure that the port will build, and most
"ports consumers" can expect the functionality they need. Presumes that the
consumer will customise the port.
2) Enable the minimal useful options, so that out of the box there is
minimal functionality. Assuming basic/no network complexity. Might be
sufficient for people starting their FreeBSD journey.
3) Enable options that provide the best coverage for the most common
scenario of use, carries assumptions of network and
authentication/authorisation use.
4) Turn on only those options that the maintainer uses, as that is what has
been thoroughly tested.
5) Turn off all options, forcing a consumer to enable what they need.
(Largely counter-productive)
Over the years I've seen options 1-4 being used, however I would "vote" for
3 - most common (sense) use case :)
If using transparent proxying requires a custom kernel, then I think its
reasonable to expect that the port/package should also be customised to
suit the FW choice.
Should we care about what FreeBSD "distributions" require? Yes, to the
extent that the options that they require, function correctly; particularly
when the requirements are mutually exclusive.
To your point about kerberos, I build ports against the heimdal port, and
the package content is correctly linked, per.
# ldd /usr/local/libexec/squid/negotiate_kerberos_auth
/usr/local/libexec/squid/negotiate_kerberos_auth:
libheimntlm.so.0 => /usr/local/lib/heimdal/libheimntlm.so.0
(0x2807f000)
libhx509.so.5 => /usr/local/lib/heimdal/libhx509.so.5 (0x28085000)
libcom_err.so.1 => /usr/local/lib/heimdal/libcom_err.so.1
(0x280c4000)
...
As FYI, this is what I enable
AUTH_KERB=on: Install Kerberos authentication helpers
AUTH_LDAP=on: Install LDAP authentication helpers
AUTH_SASL=on: Install SASL authentication helpers
AUTH_SMB=on: Install SMB auth. helpers (req. Samba)
EXAMPLES=on: Build and/or install examples
FS_AUFS=on: Enable AUFS (async-io) support
IPV6=on: IPv6 protocol support
KQUEUE=on: Enable kqueue(2) support
SSL=on: Enable SSL gatewaying support
SSL_CRTD=on: Use ssl_crtd to handle SSL cert requests
and I would not expect these options to be enabled by default ;)
Thank-you for maintaining squidXX it is a port with a lot of useful options.
Kind regards, Dewayne
PS Selecting the language option(s) would be nice to reduce the package
size, perhaps error_dirs?= and error_dir_links?= but I digress.
On 6 December 2015 at 20:44, Pavel Timofeev <timp87@gmail.com> wrote:
> Hi!
> I'm a maintainer of squid port and I'd like to ask you about default
> squid options turned on by default.
> Squid 4 is in release candidate stage now and we already have an
> initial port for it here
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203860.
>
> So, how do you think, what options should be turned on by default?
>
> I think the main idea should be if option doesn't invoke any
> additional dependency it should be turned on.
> However, there are options like TP_{IPF,IPFW,PF} which mean
> 'Transparent proxying with {IPF,IPFW,PF}'. They don't invoke any
> dependency.
> If you have GENERIC kernel and world, of course.
> Well, I know, we can't satisfy everyone, so default option set have to
> be guided by common sense and appropriate for the most.
>
> But there are FreeBSD based OSs like pfSense, FreeNAS, etc..
> Should we think/care about them? To be honest I've never used them. I
> can misunderstand something.
>
> Same story with GSSAPI_BASE. It needs kerberos from base system, that
> can absent in others FreeBSD bases OSs.
> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGnMC6p8ihb35S09NeSAFw=boRXqVSXp19OLb9=y89wzgSF6LA>