Discussion: Moving WPA_SUPPLICANT out of base and into dports

John Marino dragonflybsd at marino.st
Sun Oct 12 15:20:05 PDT 2014 

On 10/12/2014 17:45, Matthew Dillon wrote:
>     I think wpa_supplicant really has to stay in base.  Many new laptops,
>     particularly chromebooks, do not have hard ethernet ports any more.
>     They only have wifi.  So if it isn't in base the person installing
>     dragonfly is kinda screwed.
> 
>     While we could pre-install it like we do git, the plain fact of the
>     matter is that the program is so absolutely essential these days
>     to being able to get a network up and running on a new user box that I
>     just don't want there to be any possibility that it is not there.

We're doing an awful jobs at keeping such an essential s/w up to date
then.  I think adding hostapd and wpa_supplicant to nrelease would be
fine since it guarantees that the packages will be installed and
probably cached.

How is DF getting installed on a port-less machine anyway?
USB-connected CDROM drive?  I assume a dports package could be pulled in
via the same mechanism if necessary.

>     So our only choice is to either keep it as part of the base build, or
>     to build it from dports as part of the buildworld/installworld (and not
>     as part of the nrelease build).  And that has its own problems.

I spent several hours bring security/wpa_supplicant back to ports (I
brought in net/hostapd earlier).   I converted everything into dozens of
options.  The ones that are "on" are enabled by default in our base, the
ones that are "off" are not really available via base.

http://www.freshports.org/security/wpa_supplicant/

===> Configuration options are available for wpa_supplicant-2.3:
     DEBUG_FILE=off: Support for writing debug log to a file
     DEBUG_SYSLOG=on: Send debug messages to syslog instead of stdout
     DELAYED_MIC=off: Mitigate TKIP attack, random delay on MIC errors
     HS20=on: Hotspot 2.0
     HT_OVERRIDES=off: Disable HT/HT40, mask MCS rates, etc
     IEEE80211AC=off: Very High Throughput, AP mode (IEEE 802.11ac)
     IEEE80211N=off: High Throughput, AP mode (IEEE 802.11n)
     IEEE80211R=on: Fast BSS Transition (IEEE 802.11r-2008)
     IEEE80211W=off: Management Frame Protection (IEEE 802.11w)
     INTERWORKING=on: Improve ext. network interworking (IEEE 802.11u)
     NO_ROAMING=off: Disable roaming
     P2P=off: Peer-to-Peer support
     PKCS12=on: PKCS#12 (PFS) support
     PRIVSEP=on: Privilege separation
     SMARTCARD=on: Private key on smartcard support
     TDLS=off: Tunneled Direct Link Setup
     TLSV12=off: Build with TLS v1.2 instead of TLS v1.0
     VHT_OVERRIDES=off: Disable VHT, mask MCS rates, etc
     WPS=on: Wi-Fi Protected Setup
     WPS_ER=off: Enable WPS External Registrar
     WPS_NFC=off: Near Field Communication (NFC) configuration
     WPS_NOREG=off: Disable open network credentials when registrar
====> Driver options: you have to choose at least one of them
     BSD=on: BSD net80211 interface
     WIRED=on: Wired ethernet interface
     NDIS=on: Windows NDIS interface
     TEST=off: Development testing interface
     NONE=off: The 'no driver' interface, e.g. WPS ER only
====> Extensible Authentication Protocols: you have to choose at least
one of them
     TLS=on: Transport Layer Security
     PEAP=on: Protected Extensible Authentication Protocol
     TTLS=on: Tunneled Transport Layer Security
     MD5=on: MD5 hash (deprecated, no key generation)
     MSCHAPv2=on: Microsoft CHAP version 2 (RFC 2759)
     GTC=on: Generic Token Card
     LEAP=on: Lightweight Extensible Authentication Protocol
     OTP=on: One-Time Password
     PSK=on: Pre-Shared key
     FAST=off: Flexible Authentication via Secure Tunneling
     SIM=off: Subscriber Identity Module
     PWD=off: Shared password (RFC 5931)
     PAX=off: Password Authenticated Exchange
     AKA=off: Autentication and Key Agreement (UMTS)
     AKA_PRIME=off: AKA Prime variant (RFC 5448)
     SAKE=off: Shared-Secret Authentication & Key Establishment
     GPSK=off: Generalized Pre-Shared Key
     TNC=off: Trusted Network Connect
     IKEv2=off: Internet Key Exchange version 2
     EKE=off: Encrypted Key Exchange

I also brought in the conversion to pidfiles from FreeBSD ("convert to
using pidfile... This prevents multiple wpa_supplicants running at the
same time causing problems w/ wifi not working.")

Fixes like that could be quickly added to the port and made available
immediately.  Base versions are always much less agile and WPA
Supplicant has been getting new releases every 4 months.

At least adding this port makes the update of WPA_SUPPLICANT in base a
little bit easier since the log tells us which object files are needed,
but the CFLAGS are invisible and thus still tedious.  I've already spent
too much time on vendor/WPA_SUPPLICANT, so I'm not going to mess with it
any more since the port is available.  Somebody else will have tend to
those branches if a version later than 2.1 is desired in base.

John

More information about the Users mailing list