In D53605#1223887, @ivy wrote:

In D53605#1223886, @jlduran wrote:

Perhaps the discussion can be if we want to make WITHOUT_BLOCKLIST the default? That would be understandable, since it has a low usage rate, I would approve that.

i would definitely be opposed to that; blocklistd is useful functionality and requiring people to rebuild the system from source to use it would be user-hostile. that's the opposite of what we're trying to achieve with pkgbase, which is that it should not be necessary to rebuild the system from source to add/remove optional components.

In D53605#1223872, @ivy wrote:

In D53605#1223871, @jlduran wrote:

Just to make sure I'm on the same page, because to me having FreeBSD-blocklist-lib and FreeBSD-blocklist would be like having FreeBSD-ssh and FreeBSD-ssh-lib.

nothing links against the libraries in the ssh package (or at least i haven't found anything that does yet, while auditing this) so having a separate ssh-lib package would not be useful. the use-case here is someone wants to run sshd, or use the ssh client, but they don't use/want blocklistd - so why do they need to install the blocklistd daemon, the rc.d script, etc? having a blocklist-lib package means ssh can depend on blocklist-lib instead of blocklist[0], and only users who actually want to run blocklistd need to install the blocklist package.

[0] note that pkg adds this dependency automatically

I do not see a working FreeBSD-ssh package without FreeBSD-blocklist

sshd works fine without blocklistd running, doesn't it? i don't run blocklistd on any of my systems, since i don't accept ssh connections from the Internet. as long as libblocklist is present, sshd will work fine, and just silently fail to report failures to blocklistd, just like it would if blocklistd was installed but not running.

On the other hand, if we decide to split, where should we stop? Should FreeBSD-blocklist be split into FreeBSD-blocklist-client and FreeBSD-blocklist-daemon?

that would not be useful as it doesn't make sense to install blocklistd without the client utility to manage it. or IOW, everyone who wants "blocklist-daemon" would also want "blocklist-client".

Just to make sure I'm on the same page, because to me having FreeBSD-blocklist-lib and FreeBSD-blocklist would be like having FreeBSD-ssh and FreeBSD-ssh-lib.
I do not see a working FreeBSD-ssh package without FreeBSD-blocklist, that is, I was going to ask you if we should add a deps block to ssh.ucl?
On the other hand, if we decide to split, where should we stop? Should FreeBSD-blocklist be split into FreeBSD-blocklist-client and FreeBSD-blocklist-daemon?
At this point I'm not opposed nor in favor, I just need to gather more information. Thank you for taking a look at this issue.

Address suggestions:

In D53364#1219018, @0mp wrote:

Note: we could perhaps think about adding a FIREWALL script to depend on instead, but for the time being this patch is fine. Thanks!

This is the simplest fix I can think of to fix PR 280516.
Feel free to commandeer, this or the parent revision. My main objective is to ship blocklist without defects or misleading warnings.

Ignore stderr for now, it throws a bogus warning about an (ethernet) anchor not found (PR 280516).

Remove patch file for bugzila.

In D53273#1216946, @bdrewery wrote:

Do you have a single patch I can test? Or a poudriere bulk secrurity/openssh-portable@all successful build?

In D53273#1216946, @bdrewery wrote:

Do you have a single patch I can test? Or a poudriere bulk secrurity/openssh-portable@all successful build?

In D53177#1216754, @jamie wrote:

It only touches peripherally on jails, but sure, looks good. One could ask why we decided to have a separate and subtlely different "dist" and "distname" but I suppose that's water long since under the bridge.

In D53260#1216709, @emaste wrote:

Ought to list Fixes: af0cc0b22362 I think

In D53260#1216709, @emaste wrote:

Ought to list Fixes: af0cc0b22362 I think

• The first line of the user data file cannot be empty

These are the current checks:

At this point I'm lost against the file specifications:

• Guard earlier against line being empty
• Guard against content being empty

• Fix typos