SP packaging

Russ Allbery rra at debian.org
Wed Jan 27 02:47:38 UTC 2016 

wferi at niif.hu (Ferenc Wágner) writes:

> One of the less obvious changes is changing back native.logger from
> syslog to direct file writes.  If all configurations follow this,
> libapache2-mod-shib2.logcheck.ignore.server could be dropped.  Should we
> do this now or later or at all?

What was the thought process here?  The changelog doesn't really say.

I made this change originally because the upstream behavior at the time
didn't actually work.  As in you would not get anything written to the
static file because Apache didn't have permission to write to it.  There's
probably some way to fix that up in postinst, etc., or maybe upstream came
up with some fix a long time ago and I never noticed?

As long as it works, I have no opinion, as I'm not currently using
Shibboleth and there is definite merit in following upstream behavior.  I
will say that when I was running Shibboleth myself, I had Strong Feelings
about this behavior, namely that logging things directly to a file is
extremely irritating behavior: it breaks local log rotation (we didn't use
logrotate), it separates the logs from everything else and thus from the
normal log analysis flow, it means any syslog aggregation system requires
special work to deal with local files, it makes it harder to get the logs
into systems like Splunk or an ELK stack, etc.  But I no longer have
strong feelings since I'm not currently using it, so I'm happy to have
someone else change it to something they have Strong Feelings about.  :)
Just wanted to be sure that you knew the original reasons why this was
done.

> Also, according to https://issues.shibboleth.net/jira/browse/SSPCPP-645,
> running shibd -t as root can cause permission problems.  I don't think
> we handle this either in the init script or in the service file.
> Something to check...

The init script (I assume that's what you're looking at) tries to run it
as _shibd, and only falls back on using root if that fails.  This was
because the local keys might not be readable by _shibd because _shibd was
a later innovation in the Debian packages and I didn't have a good
migration strategy.  It's been years and years now, so maybe it would be a
good idea to just put something in NEWS.Debian and only use _shibd and let
the init script fail if that doesn't work.  The systemd unit file already
does that.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list