On Wed, May 22, 2002 at 09:51:16AM -0400, Marcus Brinkmann wrote:
> On Wed, May 22, 2002 at 10:58:22PM +1000, Anthony Towns wrote:
> > Then don't bother doing it. If the quick hack's no better than no
> > firewall, it obviously isn't going to satisfy me.
> I wonder how you can know it, because you neither know what I am
> satisfied with, nor how the quick hack would look like.
It's not what the hack does that matters, it's the quality of it. If
you don't leave time for it to be tested, there's no way I'm going to
have faith in it.
> You don't even bother to ask what the hack would look like to learn
> about it.
It is *irrelevant* what it looks like. It needs time to be tested. Time
which it won't get if it's left until marginally before the next release.
> Because you don't ask, but still continue to be anal about it, it
> seems I have to break this with you. It looks like there is a full
> and usable firewall implementation in our pfinet which is really
> the Linux 2.2.14 network stack. It is currently not compiled in, but
> if it is well written it should be possible to include it, and then
> export the interface in the Debian packaging, and port the Linux
> ipchains program to the Hurd.
Sure, that's great. Just make sure you give it time to be tested.
> I think this is worse than no firewalling for the GNU/Hurd, because
> the ipchains interface sucks and pfinet is going to be rewritten from
> scratch anyway,
The guy who wrote it for Linux thought it sucked and rewrote it from
scratch too. There're rumours that he thinks the same about iptables,
too. (Hi Rusty :)
> so we have no interest in doing this work, or making
> this interface in anyway official.
...but at least he actually got out there and *did* it. The only way to
work out the right way to do something is to do it the wrong way a few
times first.
> But I am not doing this work just to
> make you personally happy, first I want to see if we make all other
> release goals and if it is still necessary by the time the freeze comes
> closer.
And if you do that, you'll find you've left it too late, and that there's
not enough time to put together a usable firewalling tool. I'm not sure
what you're not getting about that. If you leave it 'til the last minute,
you'll be twiddling your thumbs for yet another year.
> Because you already said that ipchains is fine with you, I was reasonably
> sure that it would be good enough from your point of view, although with
> my GNU/Hurd developer hat on I am totally opposed to doing this.
> This is because this will make Debian GNU/Hurd incompatible with
> GNU/Hurd, and this is not what we want. There is no chance that the
> hack will ever make it into GNU/Hurd officially, and because I have to
> change the server interface for this hack, we will break compatibility
> back and forth when we do the real network stack. But of course,
> Debian doesn't need to care about such fine details of system
> development.
So much for the benefits of being able to develop everything in userspace,
eh?
To reiterate: don't leave thinking about this or doing it (or any of
the other things that make the Hurd unreleasable) until the next freeze.
If you're prioritising other things above release requirements, that's
your choice, obviously, but do be aware of exactly what that means.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``BAM! Science triumphs again!''
-- http://www.angryflower.com/vegeta.gif
Attachment:
pgpAogpkfZAHC.pgp
Description: PGP signature