Mass cleansing of Apache module POLA violations

Mark Felder feld at FreeBSD.org
Mon Jun 2 17:25:23 UTC 2014 

Hi all,

Thanks for maintaining Apache and friends.

I have a request. With my sysadmin hat on, I find maintaining Apache on 
FreeBSD to be the most frustrating Apache experience on the planet. Some 
Apache modules insert LoadModule into your httpd.conf automatically, 
some insert with it commented out (#LoadModule), and some tell you in 
pkg-message what you need to do to activate the module. The 
inconsistency here is embarrassing.

Can we please stop trying to outsmart the sysadmin?

- I do *NOT* want every installed Apache module automatically activated 
on every server. That's bloat and potential security hole. I might not 
actually need it activated.
- I do *NOT* want pkg automatically manipulating my httpd.conf. It puts 
entries in the wrong spot, sometimes under custom comment sections where 
other LoadModules live.
- I do *NOT* want pkg and Apache to outsmart me and break my systems.
- I *do* want kind, helpful instructions in pkg-message or perhaps 
samples that aren't loaded by default waiting for me in 
%%ETCDIR%%/modules.d/

As of today you can expect the following:

Upgrade or reinstall mod_perl. Restart Apache. Your Apache is broken. 
Why, you ask? Because mod_perl installs this:

#LoadModule perl_module        libexec/apache22/mod_perl.so

And helpfully *DELETES* my uncommented version of the line upon 
deinstall for upgrade, and re-inserts it commented again!

There are several other offenders like this; I do not have a complete 
list. But the point is: this behavior makes it impossible to reliably 
administer large numbers of servers. Why should I have to deploy updates 
and then fix my httpd.conf every single time? This is just bizarre 
behavior. A port or package should never automatically modify a 
production configuration file. Let the sysadmin handle the insertion or 
removal of configuration.

If we can come up with a standardized mechanism I will *gladly* assist 
in testing and fixing all ... 101 or so Apache modules so we have some 
sort of consistency here.


Thank you for your time.

More information about the freebsd-apache mailing list