On 10/12/2014 17:45, Matthew Dillon wrote: > I think wpa_supplicant really has to stay in base. Many new laptops, > particularly chromebooks, do not have hard ethernet ports any more. > They only have wifi. So if it isn't in base the person installing > dragonfly is kinda screwed. > > While we could pre-install it like we do git, the plain fact of the > matter is that the program is so absolutely essential these days > to being able to get a network up and running on a new user box that I > just don't want there to be any possibility that it is not there.
We're doing an awful jobs at keeping such an essential s/w up to date then. I think adding hostapd and wpa_supplicant to nrelease would be fine since it guarantees that the packages will be installed and probably cached. How is DF getting installed on a port-less machine anyway? USB-connected CDROM drive? I assume a dports package could be pulled in via the same mechanism if necessary. > So our only choice is to either keep it as part of the base build, or > to build it from dports as part of the buildworld/installworld (and not > as part of the nrelease build). And that has its own problems. I spent several hours bring security/wpa_supplicant back to ports (I brought in net/hostapd earlier). I converted everything into dozens of options. The ones that are "on" are enabled by default in our base, the ones that are "off" are not really available via base. http://www.freshports.org/security/wpa_supplicant/ ===> Configuration options are available for wpa_supplicant-2.3: DEBUG_FILE=off: Support for writing debug log to a file DEBUG_SYSLOG=on: Send debug messages to syslog instead of stdout DELAYED_MIC=off: Mitigate TKIP attack, random delay on MIC errors HS20=on: Hotspot 2.0 HT_OVERRIDES=off: Disable HT/HT40, mask MCS rates, etc IEEE80211AC=off: Very High Throughput, AP mode (IEEE 802.11ac) IEEE80211N=off: High Throughput, AP mode (IEEE 802.11n) IEEE80211R=on: Fast BSS Transition (IEEE 802.11r-2008) IEEE80211W=off: Management Frame Protection (IEEE 802.11w) INTERWORKING=on: Improve ext. network interworking (IEEE 802.11u) NO_ROAMING=off: Disable roaming P2P=off: Peer-to-Peer support PKCS12=on: PKCS#12 (PFS) support PRIVSEP=on: Privilege separation SMARTCARD=on: Private key on smartcard support TDLS=off: Tunneled Direct Link Setup TLSV12=off: Build with TLS v1.2 instead of TLS v1.0 VHT_OVERRIDES=off: Disable VHT, mask MCS rates, etc WPS=on: Wi-Fi Protected Setup WPS_ER=off: Enable WPS External Registrar WPS_NFC=off: Near Field Communication (NFC) configuration WPS_NOREG=off: Disable open network credentials when registrar ====> Driver options: you have to choose at least one of them BSD=on: BSD net80211 interface WIRED=on: Wired ethernet interface NDIS=on: Windows NDIS interface TEST=off: Development testing interface NONE=off: The 'no driver' interface, e.g. WPS ER only ====> Extensible Authentication Protocols: you have to choose at least one of them TLS=on: Transport Layer Security PEAP=on: Protected Extensible Authentication Protocol TTLS=on: Tunneled Transport Layer Security MD5=on: MD5 hash (deprecated, no key generation) MSCHAPv2=on: Microsoft CHAP version 2 (RFC 2759) GTC=on: Generic Token Card LEAP=on: Lightweight Extensible Authentication Protocol OTP=on: One-Time Password PSK=on: Pre-Shared key FAST=off: Flexible Authentication via Secure Tunneling SIM=off: Subscriber Identity Module PWD=off: Shared password (RFC 5931) PAX=off: Password Authenticated Exchange AKA=off: Autentication and Key Agreement (UMTS) AKA_PRIME=off: AKA Prime variant (RFC 5448) SAKE=off: Shared-Secret Authentication & Key Establishment GPSK=off: Generalized Pre-Shared Key TNC=off: Trusted Network Connect IKEv2=off: Internet Key Exchange version 2 EKE=off: Encrypted Key Exchange I also brought in the conversion to pidfiles from FreeBSD ("convert to using pidfile... This prevents multiple wpa_supplicants running at the same time causing problems w/ wifi not working.") Fixes like that could be quickly added to the port and made available immediately. Base versions are always much less agile and WPA Supplicant has been getting new releases every 4 months. At least adding this port makes the update of WPA_SUPPLICANT in base a little bit easier since the log tells us which object files are needed, but the CFLAGS are invisible and thus still tedious. I've already spent too much time on vendor/WPA_SUPPLICANT, so I'm not going to mess with it any more since the port is available. Somebody else will have tend to those branches if a version later than 2.1 is desired in base. John
