Re: Experiments with npf on -current

[Matthew Mondor <mm_lists%pulsar-zone.net@localhost>]

On Tue, 22 Nov 2011 22:55:09 -0600 (CST)
"Jeremy C. Reed" <reed%reedmedia.net@localhost> wrote:

> We should strive for a higher standard. We should encourage and maybe 
> better require that we provide unit tests and/or behaviour tests with 
> commits too.  (Was there ever a public core announcement about when code 
> is added or bug fixed, that the developer should consider adding ATF 
> tests or regression tests for it?) (I'd like to extend this to include 
> security audit tests as applicable, documentation requirements, and peer 
> review requirements too.)
> 
> We should suggest and even force that code known to be broken to be 
> reverted. (Well I think this is already true, but not happening?) (It 
> will be easier when we have a better revision control so many can work 
> easier on branches.)

While I agree with most of what you said on a technical level,
unfortunately one must also come to the evidence that NetBSD
maintainers are volunteers with limited time and resources :(

So between the ideal and the practice, it's normal if a gap exists...

That said, I find that the NetBSD code base in general is of a high
quality, and the review process which I often see happening on mailing
lists, while sometimes tedious, tends to help a lot.

As for ipfilter vs npf, npf is known to be in development by most of
us, I think; and ipfilter (or sometimes pf) are still being used on
production systems by many where reliability is important and existing
firewall scripts are maintained and relied-upon (I currently use
netbsd-5 and ipfilter myself).  This doesn't mean that an alternative
cannot be in development, incomplete or unstable (especially on an OS
also known to be good for research, such as NetBSD)...
-- 
Matt