Conversation
ci-go.yml: drop the explicit go build -o bin/nftban-ui + nftban-ui-auth steps; trim the verify-binaries loop to nftban-core + nftband + nftban-validate only. Source still compiles via `go build ./...`. build-packages.yml: trim all 6 binary-loop occurrences to drop nftban-ui + nftban-ui-auth. Part of v1.100.1b.A (GOTH PR-D4 stage 1 — stop shipping). Source trees under cmd/nftban-ui/, cmd/nftban-ui-auth/, internal/ui/, internal/auth/, internal/session/, internal/authproto/ remain unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…A configs slsa-go-releaser.yml: drop the build-nftban-ui job and its assemble-release dependencies + artifact downloads. SLSA build coverage now scoped to nftban-core only. .github/slsa/nftban-ui.yml + nftban-ui-auth.yml: deleted entire files — their sole purpose was building binaries we no longer ship. Part of v1.100.1b.A (GOTH PR-D4 stage 1). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…inary lists Drop nftban-ui-auth from the raw-binary copy step, ASSETS_TO_REPLACE, EXPECTED_PACKAGES, EXPECTED_ASSETS, SHA256SUMS.build binaries list, softprops upload list, and SLSA download retry loop. Drop nftban-ui from EXPECTED_PACKAGES + SLSA download retry loop. Tightened the missing-asset handler: previously nftban-ui-auth was treated as optional (SLSA-built). After v1.100.1b.A there are no optional UI binaries left; all listed assets are now required. Part of v1.100.1b.A (GOTH PR-D4 stage 1). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Drop build_gui, build_ui_auth, generate_templ functions - Drop nftban-ui + nftban-ui-auth from default 'all' build sequence - Convert 'gui' and 'ui-auth' subcommands to error-with-explanation - Drop PAM headers prerequisite check (nftban-ui-auth was the only consumer) - Drop nftban-ui + nftban-ui-auth from go.mod fix-dependencies loop - Update meta:inventory.binaries comment - Update usage docs Source trees under cmd/nftban-ui/, cmd/nftban-ui-auth/, internal/ui/ remain in repo and will be removed in 1.100.1b.B. Part of v1.100.1b.A (GOTH PR-D4 stage 1). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…n-ui-auth from payload RPM (%install + %files): - Drop install -D for nftban-ui binary + nftban-ui-auth binary - Drop install -D for nftban-ui.service + nftban-ui-auth.service + nftban-ui-auth.socket - Drop %files entries for /usr/sbin/nftban-ui and /usr/libexec/nftban-ui-auth RPM (%pre transitional cleanup): - Existing stop/disable loop already includes nftban-ui.* units; extend to ALSO mask + rm -f the unit files from /usr/lib/systemd/system on upgrade. This handles the case where a prior install had these units; after this stage they are stopped, disabled, masked, and the unit files are removed. - daemon-reload after the loop so systemd forgets the masked units. DEB build helper: - Drop install -m for nftban-ui + nftban-ui-auth binaries - Drop install -m for nftban-ui.service + nftban-ui-auth.service + .socket - Mirror RPM transitional handling in the DEB postrm/postinst stop loop: stop + disable + mask + rm -f the unit files; daemon-reload. Header comment updated to document the v1.100.1b.A scope shift. Part of v1.100.1b.A (GOTH PR-D4 stage 1). The Debian sub-package 'nftban-ui' (built from packaging/deb/rules) is converted to a transitional package in a follow-up commit in this same PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…aned nftban-ui postinst: - Remove /usr/sbin/nftban-ui from the chown/chmod loop. The binary no longer ships in v1.100.1b.A; loop now tolerant of absence. prerm: - Existing stop loop already includes nftban-ui.service + nftban-ui-auth.service + nftban-ui-auth.socket. Extend with explicit transitional cleanup that disables, masks, removes the unit files AND deletes orphaned binaries (/usr/sbin/nftban-ui, /usr/libexec/nftban-ui-auth) and runtime dir (/run/nftban-ui). - daemon-reload after the loop so systemd forgets the masked units. postrm: - Existing nftban-ui cleanup paths preserved (covers purge case). These hooks ensure that an `apt upgrade` from a prior nftban release which DID install nftban-ui produces a clean post-upgrade state even though the new package no longer carries those binaries/units. The deb/control + deb/rules files are unused by build_nftban.sh (the active CI builder); they are legacy artifacts. No edit needed in 1.100.1b.A; will be addressed if the alt build path is reactivated. Part of v1.100.1b.A (GOTH PR-D4 stage 1). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…racefully install/download-binaries.sh: - Drop nftban-ui + nftban-ui-auth from binary fetch list - Drop the install steps that copied nftban-ui to /usr/sbin and nftban-ui-auth to /usr/libexec - Drop nftban-ui + nftban-ui-auth from verify-all binaries loop - Drop nftban-ui + nftban-ui-auth from SLSA provenance check loop - Update meta:inventory.binaries comment install_prerequisites.sh: - Update check_pam() comment: PAM was previously required for nftban-ui-auth; now optional. Function is not invoked from main prerequisite-check flow, so behavior unchanged. Code retained as defensive helper. install/verify_installation.sh: - Remove check_file for /usr/sbin/nftban-ui (was marked Optional) - Remove check_file for /usr/lib/systemd/system/nftban-ui.service and nftban-ui-auth.socket (were marked Optional) - Note that transitional postinst handles cleanup of orphaned artifacts from prior installs. Part of v1.100.1b.A (GOTH PR-D4 stage 1). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Document operator-impacting change (nftban-ui + nftban-ui-auth no longer shipped; transitional cleanup of orphaned units on upgrade) and the build/packaging/release pipeline edits that remove them. Explicitly note that source trees + cross-cutting references + docs are retained for now and will be addressed in 1.100.1b.B / .C / .D. Lifecycle completion (PR-25-30) remains open. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Second step of v1.100.x stabilization train. GOTH PR-D4 stage 1 — stop shipping
nftban-ui(Web GUI server) andnftban-ui-auth(PAM auth daemon). Source trees retained; binaries no longer built or published.What this PR does
Stops shipping
nftban-uibinary (was:/usr/sbin/nftban-ui)nftban-ui-authbinary (was:/usr/libexec/nftban-ui-auth)nftban-ui.service,nftban-ui-auth.service,nftban-ui-auth.socketsystemd unitsTransitional handling for prior installs (per locked decision: transitional, not hard removal)
/run/nftban-ui; daemon-reload%pre: stop + disable + mask + remove unit files; daemon-reloadRetained intentionally (out of 1.100.1b.A scope)
cmd/nftban-ui/,cmd/nftban-ui-auth/,internal/ui/,internal/auth/,internal/session/,internal/authproto/) → 1.100.1b.Bcli/lib/,internal/installer/,internal/nftbanconf/,internal/api/→ 1.100.1b.Cdocs/ARCHITECTURE.md,CONTRIBUTING.md,SECURITY.md,docs/systemd/,docs/REPRODUCIBLE_BUILDS.md) → 1.100.1b.DFiles changed (9 commits)
.github/workflows/ci-go.yml.github/workflows/build-packages.yml.github/workflows/slsa-go-releaser.ymlbuild-nftban-uijob + auth notes.github/slsa/nftban-ui.yml.github/slsa/nftban-ui-auth.yml.github/workflows/release.ymlbuild.shpackaging/build_nftban.sh%install/%files+ DEB build helper drop UI binaries+units; transitional cleanup added to%preand DEB stop-looppackaging/deb/postinst/usr/sbin/nftban-uifrom chown looppackaging/deb/prerminstall/download-binaries.shinstall_prerequisites.shcheck_pamas no-longer-required (function retained, not invoked)install/verify_installation.shCHANGELOG.mdTest plan
Build & TestgreenBuild NFTBan Packagesgreen (DEB ×4 distros + RPM ×2 distros)/usr/sbin/nftban-uior/usr/libexec/nftban-ui-authnftban-ui*.service/nftban-ui-auth.socketgo build ./...still passes (cmd/nftban-ui + cmd/nftban-ui-auth source still in tree)Install Canonizationgreen (DEB + RPM)Uninstall CanonizationgreenUpdate CanonizationgreenRestore Canonization Gategreen (PR-24 surfaces untouched)nftban-uiinstall; verify services stopped + unit files removed + binary gone after upgradeLifecycle completion remains open
PR-25 (restore execution), PR-26 (verification gate), PR-27-30 (maintenance) remain explicitly open lifecycle completion work. Sequenced after stabilization. Not affected by this PR.
🤖 Generated with Claude Code