Pull in upstream before 9.1 code freeze?

Are there plans to pull the following into head before the code freeze for 9.1?

BIND 9.9.1p1
OpenSSH 6.0p1
IPFilter 5.1.1
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

Robert Simmons <[hidden email]> writes:
> OpenSSH 6.0p1

No.  It doesn't build cleanly on FreeBSD (I reported two issues during
the pre-release cycle, one was fixed but the other was not), and even if
it did, it's too big a change to push through on such short notice.

DES
--
Dag-Erling Smørgrav - [hidden email]
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On 07/02/2012 19:08, Robert Simmons wrote:
> Are there plans to pull the following into head before the code freeze for 9.1?
>
> BIND 9.9.1p1

We never change the version of BIND in a release branch. The 9.8 version
that's there is up to date.

The correct solution to this problem is to remove BIND from the base
altogether, but I have no energy for all the whinging that would happen
if I tried (again) to do that.

Doug

--

    This .signature sanitized for your protection


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

Doug Barton <[hidden email]> writes:
> The correct solution to this problem is to remove BIND from the base
> altogether, but I have no energy for all the whinging that would happen
> if I tried (again) to do that.

I don't think there will be as much whinging as you expect.  Times have
changed.

I'm willing to import and maintain unbound (BSD-licensed validating,
recursive, and caching DNS resolver) if you remove BIND.

DES
--
Dag-Erling Smørgrav - [hidden email]
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Tue, 03 Jul 2012 07:39:34 -0500, Dag-Erling Smørgrav <[hidden email]> wrote:

>
> I don't think there will be as much whinging as you expect.  Times have
> changed.

Agreed; if we need DNS in base (really, why?) then unbound+nsd are prime  
candidates, but they're healthily maintained in ports...soo... no real  
advantage.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Jul 3, 2012, at 2:39 PM, Dag-Erling Smørgrav wrote:

+1 for unbound :-)

--
/"\   With kind regards, | [hidden email]
\ /   Remko Lodder | [hidden email]
X    FreeBSD | http://www.evilcoder.org
/ \   The Power to Serve | Quis custodiet ipsos custodes

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Tue, 03 Jul 2012 07:39:34 -0500, Dag-Erling Smørgrav <[hidden email]> wrote:

> I'm willing to import and maintain unbound (BSD-licensed validating,
> recursive, and caching DNS resolver) if you remove BIND.

My only issue is that unbound is still a relatively young project  
(released 2007) and rapidly evolving. Unless the FreeBSD releases really  
pick up the pace it might be worse to have an older version in base. Just  
read the changelogs for the last year and you'll see what I mean.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On 07/03/2012 05:39, Dag-Erling Smørgrav wrote:
You've got a deal!

Unbound requires ldns, which is a good thing. Part of this project would
also be to enable drill so that we have a command-line dns lookup tool
in the base, but that's trivial once you've got ldns imported.

After you get those 3 elements in the base I'm happy to pull BIND out by
the roots.

Doug

--

    This .signature sanitized for your protection


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On 07/03/2012 06:36, Mark Felder wrote:
> On Tue, 03 Jul 2012 07:39:34 -0500, Dag-Erling Smørgrav <[hidden email]> wrote:
>
>>
>> I don't think there will be as much whinging as you expect.  Times have
>> changed.
>
> Agreed; if we need DNS in base (really, why?) then unbound+nsd are prime
> candidates, but they're healthily maintained in ports...soo... no real
> advantage.

We should not put nsd in the base. There is no need for an authoritative
server in the base, the only reason BIND is there is that it is also a
resolver, and, of course, hysterical raisins.

The dream scenario is one we've discussed in the past:

1. Promote certain ports to "system" status, with more stringent
requirements for both the ports, and the maintainers.

2. Re-tool the installer to give the users choice of which (if any) of
the key system components get installed. Obvious choices for this
category are the perennial favorites of DNS (resolver) and mail,
reasonable arguments can be made for others of course.

Whether we do the above or not, ldns/drill should be imported into the
base so that we have at least one command line DNS resolution tool. A
good "junior hacker" project would be to make a host(1) clone using
ldns. If users want the regular bind tools, ports/dns/bind-tools already
exists.

Given it's unlikely that actually making the installer more modular will
happen before 10-RELEASE, importing unbound is the next best
alternative. And regarding the "it's a young project" issue, I've
followed their development closely, I know the people involved, and I've
used it for some projects. I have zero hesitation.

And for those who are unclear on the problem we're trying to solve, a
quick recap. As things have evolved over time the BIND release cycles
and ours have diverged. Since we don't update the version of BIND in the
base for POLA reasons, for FreeBSD 6, and now 7, this has led to a
situation where our oldest release has an unsupported version of BIND.
Clearly this is unacceptable.

Oh, and to anticipate the traditional "zomg! don't turn freebsd into
linux!!!11!!!" response: First, just because linux does something
doesn't make it wrong, and Second, we can definitely add a *little* more
modularity (which the users have been asking for as long as I can
remember) without "turning into linux."

And finally, to address the "why have a resolver on the system at all?"
question, one word: DNSSEC. At this time there is no good solution to
the problem of the local host system being able to validate a DNSSEC
response. The only viable solution _at this time_ is to have a local,
validating resolver. (Of course, other solutions are being worked on,
but they aren't here yet.) This will become much more important over
time as DNSSEC adoption increases, and more things begin to use it (like
DANE).

Doug

--

    This .signature sanitized for your protection


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Tue, Jul 3, 2012 at 9:39 PM, Doug Barton <[hidden email]> wrote:
How's the security support for ldns / unbound? For third party
software sitting in the 'frontline' that part is rather important.

> also be to enable drill so that we have a command-line dns lookup tool
> in the base, but that's trivial once you've got ldns imported.

Does that means loosing host(1) ? That would be somewhat annoying.

--
Simon
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Wed, Jul 4, 2012 at 9:51 AM, Simon L. B. Nielsen <[hidden email]> wrote:
There's a version of host based on unbound.  At least, there's an
unbound-host package for Debian Linux:

http://packages.debian.org/search?keywords=unbound-host

--
Freddie Cash
[hidden email]
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Wed, Jul 04, 2012 at 10:01:04AM -0700, Freddie Cash wrote:
What would be really nice here is a command wrapper hooked into the
shell so that when you type a command and it does not exist it presents
you with a question for suggestions to install somewhat like Fedora has
done.

You type nmap in the root shell and it will ask you if you would like to
install it.

With that said, given this is FreeBSD, it could offer ...

Would you like to install base package [y/N] ?: N
Would you like to install ports package [y/N] ?: N
Would you like to compile this from ports [y/N] ?: Y

You have these options available:
1) BIND
2) LDNS
3) DJBDNS

Which would you like [0-3]:


I entirely dislike the idea of including something other than bind-tools
within base that are installed, but fully support the idea of providing
a way to allow the user to install a "base package" one that is meant to
install into the base system and have as many as are seen suited to
support the community.

I currently buildworld WITHOUT_BIND and use bind from ports and cannot
justify the time to go through learning/using another instance or at
least at this time when BIND has been perfect for everything I needed to
do.

--

 - (2^(N-1))
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Wed, Jul 04, 2012 at 17:51:52 +0100 , Simon L. B. Nielsen wrote:
> On Tue, Jul 3, 2012 at 9:39 PM, Doug Barton <[hidden email]> wrote:
> > also be to enable drill so that we have a command-line dns lookup tool
> > in the base, but that's trivial once you've got ldns imported.
>
> Does that means loosing host(1) ? That would be somewhat annoying.

You seem to have missed another message Doug posted to this thread
(message-id <[hidden email]>, dated Tue, 03 Jul 2012
14:17:40 -0700) wherein he wrote:

> Whether we do the above or not, ldns/drill should be imported into the
> base so that we have at least one command line DNS resolution tool. A
> good "junior hacker" project would be to make a host(1) clone using
> ldns. If users want the regular bind tools, ports/dns/bind-tools
> already exists.

I was curious and started poking at ldns to create such a tool. It
shouldn't be difficult for anyone familiar with C and DNS who has the
tuits to spare.

--
Thanks and best regards,
Chris Nehren

On 07/04/2012 10:01, Freddie Cash wrote:
Other than my followup where I expressed total confidence in the folks
that produce these tools, I'll leave the advocacy to Dag-Erling.

>>> also be to enable drill so that we have a command-line dns lookup tool
>>> in the base, but that's trivial once you've got ldns imported.
>>
>> Does that means loosing host(1) ?

Yes! Code must be free!!!!!11!!!!  :)

>> That would be somewhat annoying.

Again, see my followup.

> There's a version of host based on unbound.  At least, there's an
> unbound-host package for Debian Linux:

Yes, it's a SMOP. If we produced a BSDL version I'm fairly sure the
NLnet Labs guys would be interested. Dag-Erling probably wants to
contact them first to see if they are already working on something similar.

Doug

--

    This .signature sanitized for your protection


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On 07/04/2012 11:51, Jason Hellenthal wrote:
> What would be really nice here is a command wrapper hooked into the
> shell so that when you type a command and it does not exist it presents
> you with a question for suggestions to install somewhat like Fedora has
> done.

I would also like to see this feature, which is pretty much universal in
linux at this point. It's very handy.

I look forward to reviewing your patches to implement it. :)

Doug

--

    This .signature sanitized for your protection


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

At 06:39 AM 7/3/2012, Dag-Erling Smørgrav wrote:
 
>I'm willing to import and maintain unbound (BSD-licensed validating,
>recursive, and caching DNS resolver) if you remove BIND.

I've been using djb, and -- despite its quirks -- I'm very happy with
it. I'd like to have the option of installing dnscache, with the
so-called "Jumbo" patch, as the default resolver. I beleive that the
code has been released into the public domain.

--Brett Glass

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Wed, 04 Jul 2012 14:19:38 -0700
Doug Barton <[hidden email]> wrote:
> On 07/04/2012 11:51, Jason Hellenthal wrote:
> > What would be really nice here is a command wrapper hooked into the
> > shell so that when you type a command and it does not exist it presents
> > you with a question for suggestions to install somewhat like Fedora has
> > done.
> I would also like to see this feature, which is pretty much universal in
> linux at this point. It's very handy.

I, on the other hand, count it as one of the many features of Linux
that make me use FreeBSD.

I long ago gave up trying to turn off such cruft in Linux. I hope that
if it's added to FreeBSD, turning it off will at least be easy and
obvious.

        <mike
--
Mike Meyer <[hidden email]> http://www.mired.org/
Independent Software developer/SCM consultant, email for more information.

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On 07/04/2012 14:55, Brett Glass wrote:
> At 06:39 AM 7/3/2012, Dag-Erling Smørgrav wrote:
>  
>> I'm willing to import and maintain unbound (BSD-licensed validating,
>> recursive, and caching DNS resolver) if you remove BIND.
>
> I've been using djb, and -- despite its quirks -- I'm very happy with
> it.

Completely aside from its "quirks," djbdns is wholly unsuitable in the
modern DNS world due to it's poor and/or total lack of support for IDNs
and DNSSEC.

> I'd like to have the option of installing dnscache, with the
> so-called "Jumbo" patch, as the default resolver.

As soon as you start talking about "with/without $option" you are
talking about a ports install, which is perfectly fine.

Other than that, if whoever actually pushes all the rocks uphill to make
the installer more modular in this regard decides to include djbdns,
more power to them. :)

Doug

--

    This .signature sanitized for your protection


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On 07/04/2012 15:01, Mike Meyer wrote:
First, I agree that being able to turn it off should be possible. But I
can't help being curious ... why would you *not* want a feature that
tells you what to install if you type a command that doesn't exist on
the system?

Doug

--

    This .signature sanitized for your protection


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"

On Wed, 2012-07-04 at 15:08 -0700, Doug Barton wrote:
The only response I can think of is... If you can even ask that
question, then there's no answer I could give that would make any sense
to you.

-- Ian


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"