> Review: Needs Fixing
> Thanks for this branch! I like the idea of adding debconf questions to make it easy to enable certain features. I think thats a great idea. I have some comments about the current implementation though.
>
> [..]
>> +case "$1" in
>> + configure)
>> + # Enable or disable PPAs
>> + db_get squid-deb-proxy/ppa-enable
>> + if [ "${RET}z" != "z" ]
>
> Is this check for empty result really needed? db_get with a boolean
> template should always return either "true" or "false"
We've observed that not establishing a "default" will make the variable empty in some cases, that's why we implemented the check for empty result as "good practice" to avoid nasty surprises.
>
>> + then
>> + case "$RET" in
>> + n*|N*)
>
> Did you test that this actually works? $RET should be either string
> "true" or "false". The buttons in the question whiptail dialog are a
> bit misleading as they can be translated, but the db_get value is
> always either true or false.
It works, this example was actually straight from the package maintainer manual.
>
>> + if [ -f "/etc/squid-deb-proxy/mirror-dstdomain.acl" ]
>> + then
>> + mv /etc/squid-deb-proxy/mirror-dstdomain.acl /etc/squid-deb-proxy/.mirror-dstdomain.acl
>> + cat /etc/squid-deb-proxy/.mirror-dstdomain.acl | sed 's/ppa.launchpad.net/#ppa.launchpad.net/' > /etc/squid-deb-proxy/mirror-dstdomain.acl
>> + rm -f /etc/squid-deb-proxy/.mirror-dstdomain.acl
>
> Is there a advantage to use this over sed -i ? sed will also
> create a temp file first so it should be efffectively the same only
> shorter (unless I overlook something here?).
No there's no advantage over just using sed, it's just my disability to use sed without piping from cat, fixing this now
>
> There is one more issue with the approach taken. When running
> $ dpkg -s squid-deb-proxy
> [..]
> Conffiles:
> /etc/squid-deb-proxy/mirror-dstdomain.acl c430d3bc4818751ee177515a41456708
> [..]
>
> This shows that the two files manipulated are "conffiles". The debian
> policy (in appendix E.1) discourages the manipulation of conffiles
> from a maintainer script. I think adding a new line to squid.conf
> like
> acl to_ubuntu_mirrors_user dstdomain "/etc/squid-deb-proxy/mirror-dstdomain-user.acl"
> that is then either created empty or with the content like 0.0.0.0
> should do the trick (for mirror-dstdomain-user.acl the same, either a
> empty file or a file containing ppa). If that is carefully done all
> users benefit as they can add their own content there without the
> risks of having conffile prompts in the future. Alternatively it could
> use include in the acl files. But I'm not sure that this will actually
> work in a acl file.
I've tried that and the deny unfortunately takes precedence, could you give me an example that you'd think works properly?
>
>
> [..]
>> +Template: squid-deb-proxy/acl-enable
>> +Type: boolean
>> +Description: Enable network ACL
>> + squid-deb-proxy restricts access to the cache by address range
>> + selecting Y in this option will enable a basic private network range
>> + selecting N in this option will allow all IPs to access the cache
>
> Maybe something like "all IPs *in the world* to access the cache" or
> something like this to ensure the user understands that this opens his
> cache for all others. Not that big of a risk because all they can get
> is packages but it may costs bandwith etc and the user/admin should
> understand the difference.
Hi! *waves*
On Jun 7, 2011, at 16:03 , Michael Vogt wrote:
> Review: Needs Fixing proxy/ppa- enable
> Thanks for this branch! I like the idea of adding debconf questions to make it easy to enable certain features. I think thats a great idea. I have some comments about the current implementation though.
>
> [..]
>> +case "$1" in
>> + configure)
>> + # Enable or disable PPAs
>> + db_get squid-deb-
>> + if [ "${RET}z" != "z" ]
>
> Is this check for empty result really needed? db_get with a boolean
> template should always return either "true" or "false"
We've observed that not establishing a "default" will make the variable empty in some cases, that's why we implemented the check for empty result as "good practice" to avoid nasty surprises.
>
>> + then
>> + case "$RET" in
>> + n*|N*)
>
> Did you test that this actually works? $RET should be either string
> "true" or "false". The buttons in the question whiptail dialog are a
> bit misleading as they can be translated, but the db_get value is
> always either true or false.
It works, this example was actually straight from the package maintainer manual.
> deb-proxy/ mirror- dstdomain. acl" ] deb-proxy/ mirror- dstdomain. acl /etc/squid- deb-proxy/ .mirror- dstdomain. acl deb-proxy/ .mirror- dstdomain. acl | sed 's/ppa. launchpad. net/#ppa. launchpad. net/' > /etc/squid- deb-proxy/ mirror- dstdomain. acl deb-proxy/ .mirror- dstdomain. acl
>> + if [ -f "/etc/squid-
>> + then
>> + mv /etc/squid-
>> + cat /etc/squid-
>> + rm -f /etc/squid-
>
> Is there a advantage to use this over sed -i ? sed will also
> create a temp file first so it should be efffectively the same only
> shorter (unless I overlook something here?).
No there's no advantage over just using sed, it's just my disability to use sed without piping from cat, fixing this now
> deb-proxy/ mirror- dstdomain. acl c430d3bc4818751 ee177515a414567 08 mirrors_ user dstdomain "/etc/squid- deb-proxy/ mirror- dstdomain- user.acl" dstdomain- user.acl the same, either a
> There is one more issue with the approach taken. When running
> $ dpkg -s squid-deb-proxy
> [..]
> Conffiles:
> /etc/squid-
> [..]
>
> This shows that the two files manipulated are "conffiles". The debian
> policy (in appendix E.1) discourages the manipulation of conffiles
> from a maintainer script. I think adding a new line to squid.conf
> like
> acl to_ubuntu_
> that is then either created empty or with the content like 0.0.0.0
> should do the trick (for mirror-
> empty file or a file containing ppa). If that is carefully done all
> users benefit as they can add their own content there without the
> risks of having conffile prompts in the future. Alternatively it could
> use include in the acl files. But I'm not sure that this will actually
> work in a acl file.
I've tried that and the deny unfortunately takes precedence, could you give me an example that you'd think works properly?
> proxy/acl- enable
>
> [..]
>> +Template: squid-deb-
>> +Type: boolean
>> +Description: Enable network ACL
>> + squid-deb-proxy restricts access to the cache by address range
>> + selecting Y in this option will enable a basic private network range
>> + selecting N in this option will allow all IPs to access the cache
>
> Maybe something like "all IPs *in the world* to access the cache" or
> something like this to ensure the user understands that this opens his
> cache for all others. Not that big of a risk because all they can get
> is packages but it may costs bandwith etc and the user/admin should
> understand the difference.
Completely true, fixing
> /code.launchpad .net/~lynxman/ squid-deb- proxy/debhooks/ +merge/ 63391
> --
> https:/
> You are the owner of lp:~lynxman/squid-deb-proxy/debhooks.
--
Marc Cluet <email address hidden>
System Integration Engineer
Canonical Ltd.
Office: +44 20 7630 2445
Mobile: +44 7593 233 734
GPG : 31AD 2628 3D54 BC6D 041B 774E 6A3A 01DC 3A15 C5A8