On Tue, 15 Jul 2003 12:28:15 +0930 (CST), Berndt wrote:

[I wrote]
>> 1)  /usr/pkg/etc/htdig/htdig.conf contains HTML elements referencing
>> an alias of "/htdig/" but that alias isn't created by the installer -
>> no httpd.conf entries are added for htdig.=20
>
>I would prefer a message to that fact at the end of the installation
>cycle rather then having the installation process of htdig to mess=20
>around witht he apache config files.

I'd settle for that too.

>> 2)  The standard htdig graphics only get installed to
>> /usr/pkg/share/examples/htdig/, which seems the wrong place - surely
>> they too would usefully go in /usr/pkg/etc/htdig/.  And there is no
>> warning of that fact from the installer.
>
>Read hier(7). The /etc and /usr/pkg/etc filesystem are set aside for
>system configuration and script files and not as suggested above for
>application example files.

OK - I can agree with you there - we should only have config files and
the like in /etc (and /usr/pkg/etc) - but I suggest that the
"application example" files are more than just examples for most
people - they're the actual resources that most htdig installations
will use for *production* (hardly any htdig installations seem to
change the graphics - they just tweak the HTML).  In which case I
think the graphics and HTML inclusions should all go in one tidy and
more obvious place - maybe /usr/pkg/share/htdig.

>> Finally, because I had umask 027 when I ran "pkg_add htdig*", many of
>> the htdig directories & files did not have adequate permissions (owner
>> root:wheel, perms 640) to be accessible by Apache=20

>Traditionally, the root account has umask set to 022. Why blame the
>installation process if you changed it to something else? The=20
>administrator is clearly to blame for the above problem.

I'm afraid I disagree - the only tradition there derives from *nix's
historic "we can trust everybody" philosophy, which is surely due for
change in these modern protect'n'survive days.  I know there is much
argument on the value of discretionary access control ("don't let
users have read access to files they don't need to read" =3D security
thru obscurity =3D no security), but I've made my decision, and I always
run with umask 027 on all Unixes I administer.  I prefer to knowingly
loosen permissions on files other folks need to access *after* I've
created them.

In fact, if NetBSD really wants to respect the idea that sysadmins
will want to do things their own way, then shouldn't the installers
allow for weirdos with funny umasks like me ?

> ... The ultimate responsibility
>is with the system administrator to correctly install and configure
>system wide applications.

Well yes, but the installers could help.

Thanks for the feedback.

[Jeremy Reed pointed out that I should probably discuss these issues
on the tech-pkg mailing list ...]

Nick Boyce
Bristol, UK