On Sat, Oct 06, 2018 at 12:54:30PM +0200, Christopher Engelhard wrote: > Hi, > I've recently created a package for SSHGuard [1]. SSHGuard is a program > to block brute-force attacks on SSH and other services, similar to > fail2ban/etc. > > Now, my issue is the following: > > - SSHGuard is completely agnostic with respect to the firewall-backend > it uses and the logs it reads. Accordingly, it ships with an example > config file that does not set either backend or logreader, the user has > to do that themselves. There are, however, commented example lines > configuring iptables + journald. > - Fedora, obviously, by default uses firewalld and journald. > > What is the guideline for packaging software like this: > 1) Leave it as upstream ships it. > - user will have to configure the package before it becomes > functional > - no dependency on any non-essential packages > 2) ship example config file as real config file, with upstream's example > config activated > - package works out-of-the-box > - introduces additional, non-default dependency (iptables) > 3) ship custom config file preconfigured for Fedora defaults > - package works out-of-the-box > - introduces dependency on default Fedora packages (firewalld) > > Granted, option (2) is rather silly, but is (1) or (3) the correct way > to go about configuring the package? > > Best, > Christopher > > [1] https://copr.fedorainfracloud.org/coprs/lcts/sshguard/ > [2] https://www.sshguard.net/ TL;DR: I think option (3) would be the best. IMHO (I'm still thinking about packaging stuff for Fedora, haven't even submitted a single package for review yet, although I have some ideas, so take all of this as coming from kind of an outsider looking in, albeit an outsider with some experience with other packaging systems), the point of all of the OS package collections and all the different distributions is to make software available for the users with several conditions satisfied: - the piece of software is adapted to match the way other pieces of software packaged in the same system will behave - all the other pieces of software that this one needs are already packaged and adapted in that way - the piece of software has been compiled/byte-compiled/installed so that the user does not have to bother to figure out how to install and run the build tools Once upon a time, back in 1996, it seemed that the third point was the most important: packaged software saved you the trouble of 1. running around fetching all sorts of compilers and stuff, and 2. waiting around for them to do their job. Gradually, however, I came to the realization that the *main* reason I use packaged software has actually always been the way it all works together smoothly and seamlessly, the way all the configuration files are in the same directories, all the databases are in the same tree, all the startup scripts are enabled, disabled, or configured in the same way, etc. The way that I can install several packages, some of them related to some of the others, but some of them completely unrelated, and be more-or-less assured that all of them will work out of the box without the need for me to configure almost anything (except maybe enable some things, but that, too, is done in the same way for all of them). And, yes, when in my work or leisure time I have to work with servers or personal laptops with different OSs and different Linux distributions installed, sometimes I do need a moment to remember just how things are done *here*; still, all in all, IMHO this is a minor annoyance as compared to the great benefits of consistency within a single OS/distribution/packaging system. So, yeah, to finally come back to your question, IMHO it would be best for SSHGuard to work out of the box with Fedora's firewall package. G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@xxxxxxxxxxxx PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
