As for me, I was glad Darren pointed this out. (In fact, I was quite
surprised when I read the followup acknowledging known buggy code living
in -current.)

-current should not have broken code (note that current-users list now
has automated complaints on failures).

We should strive for a higher standard. We should encourage and maybe
better require that we provide unit tests and/or behaviour tests with
commits too. (Was there ever a public core announcement about when code
is added or bug fixed, that the developer should consider adding ATF
tests or regression tests for it?) (I'd like to extend this to include
security audit tests as applicable, documentation requirements, and peer
review requirements too.)

We should suggest and even force that code known to be broken to be
reverted. (Well I think this is already true, but not happening?) (It
will be easier when we have a better revision control so many can work
easier on branches.)


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

On Tue, 22 Nov 2011 22:55:09 -0600 (CST)
While I agree with most of what you said on a technical level,
unfortunately one must also come to the evidence that NetBSD
maintainers are volunteers with limited time and resources :(

So between the ideal and the practice, it's normal if a gap exists...

That said, I find that the NetBSD code base in general is of a high
quality, and the review process which I often see happening on mailing
lists, while sometimes tedious, tends to help a lot.

As for ipfilter vs npf, npf is known to be in development by most of
us, I think; and ipfilter (or sometimes pf) are still being used on
production systems by many where reliability is important and existing
firewall scripts are maintained and relied-upon (I currently use
netbsd-5 and ipfilter myself). This doesn't mean that an alternative
cannot be in development, incomplete or unstable (especially on an OS
also known to be good for research, such as NetBSD)...

I think its fine for there to be experimental features in - current -
specifically features which have not yet been in any formal release.

In this case I think a note in the manpage, or a stderr message from
npfctl to alert users might have been helpful...

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

[...]
When I committed the code, I did test it with both v4 and v6. Apart from the TCP
state engine bugs, I did not encounter any issues, that's why the commit.

Sorry if it got thru. I'll work with rmind@ on the weekend to fix these.

Best,
Zoltan

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Let me summarise the email to which I responded to for the benefit
of yourself and others in a single sentence:

"The IPv6 merge introduced numerous security bugs."

Exactly what testing was done prior to the merge and how was it done?

Did anyone review these changes or the state of the testing?

Were there people behind the scenes telling you to "get it in",
regardless of the condition of the code?

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Could you list non-NPF specific security bugs that were introduces?
I still yet to see a list.
Regular usage scenarios. No automated testing with a packet generator,
if that's what you're suggesting.

If we did introduce security holes even when npf is disabled, I sincerely
apologize; if we did not, then I seriously don't get your tone.
I'm not a half-wit, so I can perfectly follow the conversation so far,
thank you.

Zoltan

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Because even if it is disabled by default, there's nothing stopping someone
from downloading -current today, using npf and falling victim to the bugs.

There's more reasoning but I just can't seem to put the thoughts and ideas
into coherant sentences (everything I try just comes out wrong).
My apologies for that.

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

NetBSD provides enough warnings along the way for -current users, e.g. [1]:
This system is running a development snapshot of the NetBSD operating
system, also known as NetBSD-current. It is very possible that it has
serious bugs, regressions, broken features or other problems. Please
bear this in mind and use the system with care.

r.

[1] http://nxr.netbsd.org/xref/src/etc/motd.current

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

And by all means, please feel free to open PRs, and feel free to
assign them directly
to me. I'm happy to fix them.
But it's hard to fix something I don't know about :)

Thanks,
Zoltan

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

It is this kind of short-term thinking that depresses me. People do
not (typically) coordinate changes to the repo, and so there is
invariably some fallout, some things need to be fixed up, etc. In
addition to that, I don't know anyone who has every single
architecture, let alone every single platform. So some platforms go
untested.

I think it is completely unrealistic to expect -current to compile at
any one time, and I have been fixing some compilation issues in -current
on and off for a number of years now. Castigating people for checking
things in which are not 100% will have the marvellous effect of encouraging
people not to commit anything, rather than encouraging them to commit 100%
functional work.

Nowadays, we have people running automatic build tests, and the anita
runs are superb (thanks, gson!), along with some very enthusiastic
builders (bch and htodd, to name but two), and havard builds for some
of the more unorthodox architectures. Which leads me to say: I don't
know where you're coming from with this; in fact, I don't remember
your being active in this area, but I may have overlooked something
just recently.

So, yes, laudable aim - completely unworkable in practice.

Regards,
Alistair

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Let me outline what my development process is for doing a
merge when importing ipfilter:

1) sync up a local copy of the repo with rsync to netbsd
2) checkout a copy of that repo
3) do a build of that checked out copy over nfs
4) create zfs snapshots for both the local repo and the
local build on the server

This creates my baseline.

1) import local changes into the local repo, update from
vendor branch to head and checkout
2) apply any required patches
3) update the checked out copy
4) run a build (without doing a "cleandir")
5) if there are any issues, add changes to required patches,
rollback zfs snapshots, go back to (1)

Steps 1, 2, 3 and 4 are all scripted.

I should now have something that should let me update netbsd's
cvs without causing anyone grief. If there are any problems,
they're likely to be minor, quickly and easily fixed.

At this point I also have something that is easily tested and
whilst in the past I've relied upon using ipftest as the only
means of regression testing (processing the packets entirely
in a user space application that embodies all of the kernel
functions), I've now expanded that to allow packets to be
tested in the kernel. The next steps along that path are to
use dedicated test NICs (so that I can test the path into
and out of IP) and further to use different hosts.

It goes without saying that the above use of ZFS snapshots
means that my server isn't NetBSD but the additional time
cost from building over NFS is saved by being able to do
snapshot rollbacks.

I haven't tried the above with UFS snapshots from NetBSD
to know if they would work. If someone needs a reason to
keep pushing for ZFS to work well on NetBSD, consider the
above benefits for the commit cycle. For someone doing
test builds, you could do an "update; snapshot; incremental
build" quite easily.

In Solaris, all commits to the internal Hg repo kick off
a similar sequence of events and committers get an automatic
email if their commit resulted in any new build or lint
errors/warnings. ZFS is the primary enabled here.
Occassionally there are commits where an incremental build
is known to be problematic but this is called out in advance
by the committer(s).

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de