[isf-wifidog] Re: [wirelesstoronto-discuss] code contribution to wifidog auth server

Benoit Grégoire bock at step.polymtl.ca
Mar 15 Nov 12:35:24 EST 2005

On November 15, 2005 06:19 am, Rob Janes wrote:
> this is long.  as requested, here's my thoughts ...
> what i'd like is the ability (authorization) to maintain a branch of the
> wifidog source repository.  that would make it much easier for me/us to
> merge isf changes made at the head of cvs with wireless toronto's branch
> of customizations.  the bonus for you isf guys is that unlike bcwireless
> we would be contributing code to the wifidog effort.  you could review
> the customizations we had to make, and come up with some generalization
> so that we would be able to make our customizations less intrusive.
> the fact is that we have made changes to wifidog.  i don't like it that
> we haven't posted our changes back to isf.  i don't like it that our
> changes are not in the main repositiory.  i didn't like it that our
> changes were not in any repository whatsoever until recently.
> we have yet to discuss it as a group in person, but we should.  there
> are two threads of the email discussion.
> 1. the changes patrick made are good.  we want patrick to overlay his
> changes onto the latest wifidog.
> 2. we don't want to branch the source since that will be hard to maintain.
> these two points are mutually exclusive, ie they contradict each other.
> we as a group need to resolve this, since patrick's changes are a
> defacto branch of the source.

I believe you trying to solve two different problem with a single solution, 
and that is the source of the disconnect you see.  There are usually four 
types of branches (I'm sure there is some sort of official terminology for 
this, but I don't have time to look it up).  

Main (or head) branch:  The branch that will eventually become, or branch 
into, the latest official version.

Ad-hoc developpement branch: when you want to develop major changes away from 
the mainline, but still collapse it back into the mainline at some future 
date.  It allows to work as a group on major changes without disrupting the 
mainline.  This may be usefull for some of your changes, but you must be 
certain it's worth the extra overhead, and it has to be a different branch 
from the following.

Customised branch:  when you need a customised version of the main (or some 
other) branch.  Youy regularly sync with the main branch, but you do not 
intend to ever merge it back.  That the case for your cosmetic changes, but 
only when you can't wait for (or contribute) the necessary flexibility in the 

Stable release branch.  Used to allow changes to stable release that are not 
relevent to the main branch.

So to summarise:  You are going to need you own branch (wirelesstoronto-custom 
(or some such) for the near future, with the goal of eventually not needing 
it anymore.  All that will be there are cosmetic changes.  Having that branch 
on our CVS will not by itself make it easier to share your changes back (but 
there should not be any changes to share back, and having it on our server 
will make it much easier for you to sync it to the mainline).

Most of your changes should go directly in head, and occasionally in a 
development branch (not the same as your custom branch above).

> for myself, i started working on two things in wifidog-auth.
> 1. language support doesn't work out of the box on any server I have set
> it up on.

That work that should clearly be done on the head branch.

> 2. the install process is not smooth.  i believe it's an impediment to
> bringing wifidog up in new locations.
> generally, i like the idea of an install/customization script.  so,
> rather than cleaning up the installation instructions, i put some effort
> into refactoring the install script.  it has become a bit of an
> avalanche, but i personally am happy with where it's going.  i didn't
> start out wanting to make changes to the core of wifidog-auth, far from
> it.  however, my install web pages look like a frankenstein monster
> (patchwork).  when i tried to smooth that out it was logical to plug in
> to the existing wifidog-auth UI.  that started me on small changes,

Oups, you didn't know, but that page didn't use the main wifidog UI on 
purpuse, because it can't initially depend on any of the wifidog 
dependencies, not even the mandatory ones (smarty, db abstraction, etc.)

> fixups really, to the UI.  i think you know what those are.  when I got
> to the database setup stuff, i found myself writing a database
> abstraction layer at the same time as wanting to use existing
> wifidog-auth functions for sniffing the database and upgrading the
> database.  then when i wanted to work out some way to display the
> database errors (of which there were a lot), i found myself writing a
> logging abstraction layer since there is none in wifidog-auth.
> all this stuff seemed to me to be a "useful thing" (to paraphrase winnie
> the pooh), so i made these pieces so that they integrated with
> wifidog-auth.
> clearly i've crossed over the rubicon of simple customizations.  these
> are intrusive changes to the core.  if you think they are useful too,
> i'd like to see them checked in at the head.  these are
> to wifidog-auth/wifidog:
> cvs add classes/DBObject.php
> cvs add classes/DBODriver_mysql.php
> cvs add classes/DBODriver_postgres.php
> cvs delete classes/AbstractDbMySql.php
> cvs delete classes/AbstractDbPostgres.php
> replacement for classes/AbstractDb.php

At first glance, I don't get it.  We already have a custom DB abstraction 
layer.  We are open to replacing it with an off the shelf one or improving 
it, but I don't see what replacing it with different but still custom one 
would buy anyone?  But I guess I'll understand when I see the code.

> cvs add classes/EventLogging.php

That's definitely sorely needed!

> then there are changes to common.php to use these two things.  as near
> as i can tell, it's a seamless integration.  however, it is still a work
> in progress.  it is missing some features i want to have for the
> installation script.  it is missing much documentation, making it very
> difficult for others to use.

It's seems unlikely that the only changes needed in the db abstraction layer 
are in common.php, unless you kept the exact same API (but then why change 
the abstraction layer?). 

> if you folks on the other hand find that these changes are not useful,
> then i'll have to find a way to use wifidog-auth's UI from the install
> script without making changes to wifidog-auth's internals.

See above

> however, i've made some security improvements to the database stuff i
> hope you'll accept -
> * database connections using the unix socket (more secure)

?!?!? That was already supported and documented in the INSTALL file.

> * distinguish DBA connections from regular user connections so you can
> lock down permissions on the regular wifidog-auth database userid

Aside from being able to create new database, the wifidog user needs no 
special privileges, and should not have any.

> why didn't i use PEAR for a db abstraction or a logging abstraction?  i
> looked in to that.  nothing i found on pear did what i wanted it to do,
> and the stuff on pear was not easy to integrate with wifidog-auth.
> also, i needed the install script to use this stuff from the get-go.  i
> didn't want to deal with writing the install script so as to fail
> gracefully if it's own prerequisites were not present.  i want the
> install script to be self-contained.


> as well, i made intrusive changes to include/schema_validate.php.  i
> wanted to use existing routines to check the status of the database.
> however, i most emphatically did not want any changes made to the
> database until the install script was ready.  BUT that's just not how
> schema_validate out of the box works.  on a deeper level, i object to
> running such application intrusive stuff from a user level account.
> schema_validate assumes that the default postgres account for wifidog is
> a dba level account.  that's a security thing.  secondly, i don't like

It should not have any privileges except creating database.

> the idea that database maintenance tasks show up on user's sessions.
> these sorts of things should only be done by the "installer person",
> regular users should not be abused with this kind of stuff on their
> screens.  I am hoping you will find these changes a useful thing.

Well, I may be missing something, but I find what you propose extremely 
dangerous.  When you upgrade a live server, the schema update must happen as 
soon as the code is updated, no matter what.  

Otherwise, you have new code running that may or may not work with the old 
schema (and may even accidentally corrupt data in a way that will break the 
assumptions of the upgrade script).  If you instead checkout in a sandbox 
(but with your real database) to have your schema update before update the 
code on the live server, you have the opposite problem:  old code running 
that may or may not be compatible with the new schema.  That's why schema 
validate is always called (not just from the install script), and why the 
wifidog user must have table creation privileges.

> finally, there is the rewritten install script itself.  i would like to
> contribute that as well.  to be nice, i can put together the install
> script so that it is not intrusive to wifidog-auth and plays by the
> rules.  i would like to work with someone in isf to make sure it works
> well and not just for me.  later this week i hope to have it installed
> on our devauth server so that you'll be able to see it and consider
> whether it too is a useful thing.

I'm sure it's usefull, we must simply make sure we handle the dependencies 
properly (which will affect when it can start to call into the "normal" UI).

> with regards maintenance or responsibility for these changes, i'm happy
> to take on a "maintainers hat" for these things.  i would however need
> write access to the cvs head.

Sure! I'll need your sourceforge username however.

Benoit Grégoire, http://benoitg.coeus.ca/
-------------- section suivante --------------
Une pièce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 189 octets
Desc: non disponible
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20051115/a9f5ed86/attachment.pgp

More information about the WiFiDog mailing list