tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Experiments with npf on -current



On 23 November 2011 07:56, Matthew Mondor <mm_lists%pulsar-zone.net@localhost> 
wrote:
> On Tue, 22 Nov 2011 22:55:09 -0600 (CST)
> "Jeremy C. Reed" <reed%reedmedia.net@localhost> wrote:
>
>> We should strive for a higher standard. We should encourage and maybe
>> better require that we provide unit tests and/or behaviour tests with
>> commits too.  (Was there ever a public core announcement about when code
>> is added or bug fixed, that the developer should consider adding ATF
>> tests or regression tests for it?) (I'd like to extend this to include
>> security audit tests as applicable, documentation requirements, and peer
>> review requirements too.)
>>
>> We should suggest and even force that code known to be broken to be
>> reverted. (Well I think this is already true, but not happening?) (It
>> will be easier when we have a better revision control so many can work
>> easier on branches.)
>
> While I agree with most of what you said on a technical level,
> unfortunately one must also come to the evidence that NetBSD
> maintainers are volunteers with limited time and resources :(
>
> So between the ideal and the practice, it's normal if a gap exists...
>
> That said, I find that the NetBSD code base in general is of a high
> quality, and the review process which I often see happening on mailing
> lists, while sometimes tedious, tends to help a lot.
>
> As for ipfilter vs npf, npf is known to be in development by most of
> us, I think; and ipfilter (or sometimes pf) are still being used on
> production systems by many where reliability is important and existing
> firewall scripts are maintained and relied-upon (I currently use
> netbsd-5 and ipfilter myself).  This doesn't mean that an alternative
> cannot be in development, incomplete or unstable (especially on an OS
> also known to be good for research, such as NetBSD)...

I think its fine for there to be experimental features in - current -
specifically features which have not yet been in any formal release.

In this case I think a note in the manpage, or a stderr message from
npfctl to alert users might have been helpful...


Home | Main Index | Thread Index | Old Index