gui-ufw modifies conffiles in ufw

IP masking and IP6 require by ufw (https://help.ubuntu.com/8.04/serverguide/C/firewall.html) to modify the configuration files directly. As for the rest, we'll look into replacing them with ufw commands.

Additionally, the manpage for ufw 0.20 states that "Currently,  ufw  is  a  front-end  for iptables-restore, with its rules        saved    in     /etc/ufw/before.rules,     /etc/ufw/after.rules     and        /var/lib/ufw/user.rules.  Administrators can customize before.rules and        after.rules as desired  using  the  standard  iptables-restore  syntax.", and this is the customization we make use of to provide the added functionality.

With ufw itself making us do this, we'll have to remove this added functionality from our program then...

Additionally, http://www.debian.org/doc/debian-policy/ch-files.html#s10.7.4 states that

"If two or more packages use the same configuration file and it is reasonable for both to be installed at the same time, one of these packages must be defined as owner of the configuration file, i.e., it will be the package which handles that file as a configuration file. Other packages that use the configuration file must depend on the owning package if they require the configuration file to operate."

This is quite true since gufw .debs (once we, upstream make) do depend on ufw...

I'm unclear as to why can't this rule be applied to the ufw-gufw relationship.

It can, but it further says, "The owning package should also provide a program that the other packages may use to modify the configuration file.". Since UFW doesn't do that, you're out of luck. That doesn't mean you can mangle their conffiles.

I'd suggest filing wishlist bugs against ufw.

We don't "mangle", we do what ufw tells us to do... but I'll file the said bug report.

https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/262421

We're working hard about this.

But IP Masking and IPv6 is necesary modify files... Gufw is a GUI for easy manage of ufw. The users liked this features. I think is better that Gufw modify the file, that an inexperienced user :O

In other case, for others events (add,remove,import,export...) we will try change ;)
Thanks by bug report!

Then you need to work with ufw on providing a policy compliant way to access
making those changes. The fact that policy is inconvenient for you to follow
doesn't make it any less of a requirement.

IMO package should be removed if this isn't solved by the beta. UFW is a security sensitive application and adjusting it's configuration in a non-supported way should not be allowed in an Ubuntu release.

i agree with scott.

Hi!
It's fixed in version 0.20.0 ;)
Gufw not writes in ufw files ;D
Thanks by bug!

nice, and welldone marcos! :)

Re-marking as Confirmed because the bug is NOT actually fixed in Ubuntu.

orig.tar.gz

diff.gz

From bzr revisions seems that this new version contains only bugfix... someone can confirm?

New diff.gz

Hi Filoni.

Done too:
Quit remove all button by Select all + Remove.
Updated gnome help.
Quit Ipv6
Quit Hide IP

You need donwload with bazaar.
Best regards.

and not launchpad translations included.

oh! and from 0.0.7, in 0.20.0, you can read "todo" file :)
This was changed:
[done] Module code.
[done] Preferences dialog (ufw log / gufw log / Show Tray Icon / Close when close window / AutoStart).
[done] Range ports.
[done] Start with system.
[done] Keep window position on close and restore.
[done] Gufw log.
[done] ufw Logging.
[done] Launchpad credits translators.
[done] Show/Hide Tray Icon.
[done] Tray Icon enabled/disabled is a checkbutton.
[done] Close button added.
[done] Global command.
[done] Update version to same ufw version.
[done] Test in Intrepid Ibex.
[done] Not write in ufw files.
[done] Remove "Remove all rules" -> Added select all.

By "quit" he meant removed, because ufw tells the user to modify the configuration files directly (which the ubuntu policy doesn't allow). So we had to remove those features.

Ok, the new bzr revision includes new feature, so I need to request a FFe.
diffstat

The buildlog

Marcos, there is another bug that can be easily fixed:
WARNING: compile error while trying to byte-compile /usr/share/gufw/translates.py: File "/usr/share/gufw/translates.py", line 29
    l_file = path_locale_check, "r")
                                   ^
SyntaxError: invalid syntax
Please fix this.

Please ensure you aren't shipping .pyc files in the .deb.

I am not.

Hi!
I will fixed in the next 11 hours ;)
Now, I can't, sorry.

Fixed!
Thanks Devid ;)

Hmm... what about the following lines?

others.py: commands.getstatusoutput("/etc/init.d/ufw restart")
paths.py:path_hide_ip = "/etc/ufw/before.rules"
paths.py:path_gufw_status = "/etc/ufw/ufw.conf"
paths.py:path_ufw_config = "/etc/default/ufw"
paths.py:path_hide_ip_copy = "/etc/ufw/before.rules_copy"
paths.py:path_ufw_config_copy = "/etc/default/ufw_copy"

Hi!
commands.getstatusoutput("/etc/init.d/ufw restart") : Restart ufw by command -> https://wiki.ubuntu.com/UbuntuFirewall
When enabling the firewall and/or using '/etc/init.d/ufw start', the chains are necessarily flushed and connections may be dropped (eg ssh connections). You can add rules to the firewall before enabling it however, so if you are testing ufw on a remote machine, it is recommended you perform:

And this for read ufw status/configuration:
paths.py:path_gufw_status = "/etc/ufw/ufw.conf":
    def check_gufw_status():
       if file_search_string(path_gufw_status, c_gufw_enabled_infile) == c_found:

paths.py:path_ufw_config = "/etc/default/ufw":
    def check_deny_all():
 if file_search_string(path_ufw_config, c_deny_all_infile) == c_found:
   def check_ipv6():
 if file_search_string(path_ufw_config, c_ipv6_infile) == c_found:

--------------
   and file_search_string only open for read ;)
     def file_search_string(p_file, p_string):
 try:
  l_file = open(p_file, "r")
---------------

I forget remove this residual code:
paths.py:path_hide_ip_copy = "/etc/ufw/before.rules_copy"
paths.py:path_ufw_config_copy = "/etc/default/ufw_copy"
paths.py:path_hide_ip = "/etc/ufw/before.rules"

Ok, I'm working on the new package.

Are any of those files actually modified? It's no problem policy wise for
gui-ufw to read and use the contents of files or to restart ufw via the
init script.

Hi! ;)
I don't modify any ufw files ;) don't worry.
In the past I didn't know this policy, but I will never do it ;)

If you like review, I open files for write with literal "w".
You can search this in the files too:
# Paths system
path_system_root = "/usr/share/"
path_locale2 = "/usr/share/locale"
path_gufw_status = "/etc/ufw/ufw.conf"
path_ufw_config = "/etc/default/ufw"
path_ufw_rules_ipv4 = "/var/lib/ufw/user.rules"
path_ufw_rules_ipv6 = "/var/lib/ufw/user6.rules"

Never writes.
In other way, this bug is more important, and I will review all code ;)
Best regards.

orig.tar.gz

For the FFe...
diffstat

Install log:

dfiloni@dfiloni-desktop:/var/cache/pbuilder/result$ sudo dpkg -i gufw_0.0.7c+bzr109-0ubuntu1_all.deb
Selezionato il pacchetto gufw, che non lo era.
(Lettura del database ... 103304 file e directory attualmente installati.)
Spacchetto gufw (da gufw_0.0.7c+bzr109-0ubuntu1_all.deb) ...
Configuro gufw (0.0.7c+bzr109-0ubuntu1) ...

dfiloni@dfiloni-desktop:/var/cache/pbuilder/result$

Build log attached.

(Devid: There's no need to upload the .orig.tar.gz; just a link to it is enough :).)

Ehm... it is the tarball of a bzr revision, there is no a link ....

In that case the sponsor should roll it themselves. Nothing personal, but
since you are not yet an Ubuntu developer, the sponsor should take the code
from the upstream source themselves.

Marking as In Progress since Confirmed means "FFe granted".

Hi! ;)
New alpha1 version available!
Thanks to all ;)

diff.gz for gui-ufw 0.20.0 beta 1

Buildlog

Diffstat

Install log (italian)

Did you do any testing on this? I see some bugs open (on this version) in the upstream bug tracker, is this thing anywhere near a releasable state?

I've tested bug 267232 and for me it works fine.

Upstream has two critical bugs (bug #262975 and bug #263308). It is not clear if they are related to gui-ufw or directly to ufw, but I think it's definitely worth looking at them. If they're related to gui-ufw, I don't think we should support a software which breaks something living in standard seed.

I think the bugs are related to ufw and so also in gui-ufw (indirectly).

Hi Luca.
It's an ufw problem, as you can read in the bugs. But affects to Gufw for the remove rules.
In Gufw we were working hard for fixed the logic of remove rules with this bugs. And It's solved ;)
ufw works fine, and Gufw works fine too.
But I think that the bugs are criticals in Gufw because ufw is the powered by ufw.
Best regards

I like explain:
The code was parched for can remove rules of this bugs.
It's better fixed this bugs in ufw for Gufw, but Gufw works fine.
I did put as "critical" bug only because Gufw is powered by ufw.
It isn't critical bug to the system, ufw or Gufw.
Best regards ;)

ACK from me, please try to triage those critical bugs and work closely with Jamie to get them fixed.

This software is still in what looks like an early development stage, and having uploaded it in a rush one day before FF doesn't make it any better.
I was very much tempted to ask it be removed from the archive, however, having seen that upstream is very active and cooperative I'm more inclined to let this goes through; I would however like that we make it clear that this is still under heavy development.
As a minimum, I would add the following disclaimer to the long description:

"This software is still in an early development stage and should be considered experimental."

That's a pity. Every Gufw release has at least a week's worth of QA before
being released, and we have had no cases reported (nor found on the net)
where is broke a system, at all.

One of the bugs is really a ufw bug, we just linked it so we'd know the
status of when is it fixed (it has gone by for over a week with no attention
though, it seems). If unlinking and just subscribing the Gufw team directly
to the bug would give a... better appearance, let us know.

And the other bug, well, is a duplicate, since it resolves around ufw status
not reporting the protocols for a rule.

@Vadim,

my comment is not meant to be a critique towards you and the other upstream developers, quite the contrary. I'm very happy that you are so active and cooperative, and I'd really love to see your work being published in Ubuntu so that it gets the exposition it deserves.
I do however believe that we ought to be honest with Ubuntu users and we should not present this as a stable and proved utility (no matter where the problem lies, be it in gufw or ufw or in their interaction).

Cesare, I thing you are right, also the new package is an alpha, so the comment should be there. As the package is ACKed can I upload it (after changing the description)?

(Cesare, however there is no reason to remove it, a lot of users in brainstorm want it and this is why I've done the package)

@Cesare
Gufw is stable and according to the GPL license, comes with no warranty. It has been tested for ten releases now (https://launchpad.net/gui-ufw/+download) and several months by many users (according to popcon, ~15,000 people have Gufw installed on their Ubuntu computers, with no complaints of it breaking anything).

This friday (12 September) Gufw 0.20.0 will be released. You can will test it.

The question of all this are the 2 bugs with state "critical" in Gufw, which are caused by ufw.
Saying that these states influence programming Gufw, but it isn't critical to the system, Gufw or ufw.

Putting the bugs to criticals, we seek to revealance something that we can not change by the Gufw developers.

Highlight: The critical bugs are critical for the development of Gufw (It's a little more complicate), not in use of Gufw.

I understand your concern, but, the issues are related not the users, but the future coding of Gufw. I don't see a reason why should a user be alerted about the programs future development.

Best regards.

> This friday (12 September) Gufw 0.20.0 will be released.

If there will be more bugfixes, I think it's worth waiting for 0.20.0
final before uploading.

@Devid, yes, with that proviso I can confirm the FFe. I would be even happier if we wait and use the official 0.20.0 tarball which is released tomorrow.

@Marcos, I hear you and I have a lot of sympathy for you. We do have gufw in our official repository only since August the 27th, and we see that there are still few issues to be ironed out. We appreciate all the work you are doing and you will keep doing, as well as all the testing that has been devoted to this already. As you can see, once you get integrated into a distro there are other issues which need attention. The issue that was flagged by Scott was a pretty serious one for us, so we are just being cautious and I think fair to both you and the users.
Please also consider that we won't be uploading new versions during the Intrepid lifetime (except possibly as backport), its only going to be bug fixes.

I'm testing the version 0.20.0, and I not found bugs.
In the releases, more users downloads the application, and maybe can be found some bug.
We will work hard this weekend for the possibles issues ;)
Best regards!

I think that causing the application description to be changed goes a bit too far. Since upstream is active and involved, as long as they'll agree to support bug fixes in the Intrepid version, I think it's OK.

It brings to mind the gdesklets package that was in an immature state for Hardy. They had a large stack of bugs against he package initially, but after a good SRU, it was good. I give my ack for 0.20.0 final. Whoever sponsors should personally verify this bug is completely fixed. If you need help, let me know.

Scott, I've already checked the code and done my questions about it above with good replies :)
I will check again with the final version.

Yes Scott, I think that this bus is fixed for the version 0.20.0, and now we are talking about others things.
Of course, in the time, Gufw will be better :D as ufw, Ubuntu and the community ;D
Best regards!

I do disagree, gdesklets was indeed a case were this should also have been done. Making it clear in the package description is a very sensible thing to do.
Setting it back to incomplete.

@marcos, @vadim,
I have mulled this over and you are after all in the best position to judge about the maturity of your software. Since you have quite clearly expressed your opinion and you don't think that having such a description for the package is fair I agree with Scottk and confirm the FFe.

@Cesare ;)
Hello.
I know my application, but obviously I can not guarantee its stability at 100%. Any software has millons tests that can be subceptibles to break it. I tried a lot, but it is still likely to find some bugs after the publication of the final version (It's more used, little people download the alphas & betas).
The software more safer, can be broken ;P

I agree with you, we are not adequate for the maturity of our software, and I will not comment on it ;) Sorry.

I also wish to clarify that we entry into the official repository of Ubuntu is a dream, and I am the last person to want to add a bad application to Ubuntu.

My advice is to wait one week of their publication, pending bugs that may occur, and solve them. Then judge whether if it is appropriate to include ;)

Thank you all for the morale, the criticals and improvements :D

Best regards! :)

I think it's better to upload 0.20 as soon as you release it. That will get
it to a wider audience for testing. If there are problems and you can
provide patches, we can then update the package.

I agree, there is no point in waiting. As long as you can push patches forward we are fine.

Can I upload it directly or I need a FFe for the final?

Go for it, you got your FFe.

If I may ask, what does a FFe mean?

FFe = Feature Freeze Exception = Permission to upload the new version
has been granted.

Feature Freeze exception. You can check what the Feature Freeze milestone means for us here:

https://wiki.ubuntu.com/FeatureFreeze

This bug was fixed in the package gui-ufw - 0.20.0-0ubuntu1

---------------
gui-ufw (0.20.0-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #262405).
  * Drop debian/gufw-launcher, now upstream ships it.
  * Update debian/copyright.
  * Adjust upstream email in debian/gufw.1.
  * Add gufw/todo to debian/docs.

 -- Devid Antonio Filoni <email address hidden> Mon, 12 Sep 2008 21:31:47 +0200

FFe is Feature Freeze exception.