[prev in list] [next in list] [prev in thread] [next in thread]
List: ubuntu-devel-discuss
Subject: Re: Packaging libnginx-mod-http-modsecurity
From: Thomas Ward <teward () ubuntu ! com>
Date: 2020-08-19 0:33:36
Message-ID: fd367eda-e895-d8e9-b811-7f6bd81015ec () ubuntu ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hiya, Niels!
This discussion came up a while ago as to whether to ship it with Ubuntu
or not. A long while ago back in the 14.04 cycle, a similar module,
called nginx-naxsi, was shipped in the Ubuntu packaging of NGINX. It
was also shipped in Debian. Maintaining this was considered too
difficult because every single bug required a complete recompile of
nginx and yet another package version to be released just to fix a minor
bug in the software, not to mention keeping it in line with the proper
NGINX version became too tiresome and Debian dropped NAXSI (which
trickled down to Ubuntu during the 15.04 release cycle).
We've had this question come up several times in the recent two cycles
on private direct mailing lists with me and a few others on the server
team, and among the Server team and myself (as well as the Ubuntu
Security Team), we decided against packaging modsecurity ourselves using
a similar justification that existed with NAXSI.
Right now, I have this justification against packaging ModSecurity in
Ubuntu's repositories:
1. Nobody on the server team, including myself, uses nginx with
ModSecurity,
2. Maintaining ModSecurity as a separate package is not feasible
because the only way to build dynamic modules is to compile them
alongside NGINX source code at the same time and then get the compiled
.so binary module and extract it from build for the binary package that
installs it, and NGINX does not currently provide a way for packagers to
have access to the source system other than compiling NGINX from scratch
(or as part of a packaging build process which this is part of one of
the steps), which in turn requires that the Ubuntu Server Team (or
myself, or both) have to help maintain the package *including*
ModSecurity as part of the nginx source package
3. If ModSecurity has a security vulnerability that affects older
versions of ModSecurity than latest, backporting security fixes has to
be **guaranteed** to be done for any version shipped in Ubuntu for five
years by upstream, which tends to give the upstream software developers
strife,
4. There has been no extra justification thus far as to how this
is globally beneficial in a way that doesn't add extra difficulty in
long term maintaining of the nginx software in Universe or by the Server
or Security teams. (especially in Universe, where security patches are
community-provided and not done by the Ubuntu Security Team regularly),
5. Debian does not ship modsecurity with NGINX, and as a result
we don't, so adding modsecurity would add a significant delta to the
packaging and further diverge from Debian heavily.
Primarily because of points two and five, I have been heavily against
adding new third-party modules and such to the nginx source code unless
absolutely necessary to make some functionality replaceable (such as the
libnginx-mod-http-geoip2 module which we added for GeoIP 2 library
support, something Upstream would not do, and that was later picked up
in Debian recently so the delta was significantly reduced).
While I don't speak for the entire Server team, I'm not sure the Server
Team as a whole would want to commit to supporting modsecurity in nginx
on top of the other third party modules we already have to look after in
the packaging. You may want to check with Debian first, and ask if
Debian wants to include modsecurity in NGINX. If they wish to, they can
import it into their packaging, and for us we'll pick it up in the next
Ubuntu cycle (21.04 most likely), and then it'll be available in
Ubuntu. But we usually are wanting to check if Debian wants to support
it heavily as well. My historical insights into this is that's been
discussed and rejected in Debian but you're free to ask the nginx
maintainers in Debian that question as well with a Debian bug.
My two cents for right now, but maintaining modsecurity in nginx could
introduce more headaches for maintaining things in the future for the
Server Team and myself, because any bugs filed against it are likely not
going to get nitpicked and included as fixes because there's no
mechanism to really separately maintain modsecurity outside of the nginx
source package.
------
Thomas
Ubuntu Server Team Member
On 8/16/20 6:55 AM, Niels Kristensen wrote:
> Hi!
>
> I've been looking for the best way to maintain a deb package for the
> ModSecurity dynamic Nginx module:
> https://github.com/SpiderLabs/ModSecurity-nginx
>
> I'm not experienced with packaging for Ubuntu, so I'm not sure if the
> Universe repository is the best place, or if it's a PPA.
>
> I've looked at the other packages for dynamic Nginx modules in
> Universe (libnginx-mod-*), and it seems like they are compiled using
> the same deb source package, so I thought that it might be a good
> place to add the ModSecurity module as well. What do you think?
>
> There is already something out there for building a deb package of the
> module for 18.04 https://github.com/phusion/nginx-modsecurity-ubuntu
> but it is not maintained anymore.
>
> Br Niels
>
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hiya, Niels!</p>
<p>This discussion came up a while ago as to whether to ship it with
Ubuntu or not. A long while ago back in the 14.04 cycle, a
similar module, called nginx-naxsi, was shipped in the Ubuntu
packaging of NGINX. It was also shipped in Debian. Maintaining
this was considered too difficult because every single bug
required a complete recompile of nginx and yet another package
version to be released just to fix a minor bug in the software,
not to mention keeping it in line with the proper NGINX version
became too tiresome and Debian dropped NAXSI (which trickled down
to Ubuntu during the 15.04 release cycle).</p>
<p>We've had this question come up several times in the recent two
cycles on private direct mailing lists with me and a few others on
the server team, and among the Server team and myself (as well as
the Ubuntu Security Team), we decided against packaging
modsecurity ourselves using a similar justification that existed
with NAXSI.</p>
<p>Right now, I have this justification against packaging
ModSecurity in Ubuntu's repositories:</p>
<p> 1. Nobody on the server team, including myself, uses nginx
with ModSecurity,</p>
<p> 2. Maintaining ModSecurity as a separate package is not
feasible because the only way to build dynamic modules is to
compile them alongside NGINX source code at the same time and then
get the compiled .so binary module and extract it from build for
the binary package that installs it, and NGINX does not currently
provide a way for packagers to have access to the source system
other than compiling NGINX from scratch (or as part of a packaging
build process which this is part of one of the steps), which in
turn requires that the Ubuntu Server Team (or myself, or both)
have to help maintain the package *including* ModSecurity as part
of the nginx source package<br>
</p>
<p> 3. If ModSecurity has a security vulnerability that
affects older versions of ModSecurity than latest, backporting
security fixes has to be **guaranteed** to be done for any version
shipped in Ubuntu for five years by upstream, which tends to give
the upstream software developers strife,</p>
<p> 4. There has been no extra justification thus far as to
how this is globally beneficial in a way that doesn't add extra
difficulty in long term maintaining of the nginx software in
Universe or by the Server or Security teams. (especially in
Universe, where security patches are community-provided and not
done by the Ubuntu Security Team regularly),</p>
<p> 5. Debian does not ship modsecurity with NGINX, and as a
result we don't, so adding modsecurity would add a significant
delta to the packaging and further diverge from Debian heavily.<br>
</p>
<p>Primarily because of points two and five, I have been heavily
against adding new third-party modules and such to the nginx
source code unless absolutely necessary to make some functionality
replaceable (such as the libnginx-mod-http-geoip2 module which we
added for GeoIP 2 library support, something Upstream would not
do, and that was later picked up in Debian recently so the delta
was significantly reduced).</p>
<p>While I don't speak for the entire Server team, I'm not sure the
Server Team as a whole would want to commit to supporting
modsecurity in nginx on top of the other third party modules we
already have to look after in the packaging. You may want to
check with Debian first, and ask if Debian wants to include
modsecurity in NGINX. If they wish to, they can import it into
their packaging, and for us we'll pick it up in the next Ubuntu
cycle (21.04 most likely), and then it'll be available in Ubuntu.
But we usually are wanting to check if Debian wants to support it
heavily as well. My historical insights into this is that's been
discussed and rejected in Debian but you're free to ask the nginx
maintainers in Debian that question as well with a Debian bug.</p>
<p><br>
</p>
<p>My two cents for right now, but maintaining modsecurity in nginx
could introduce more headaches for maintaining things in the
future for the Server Team and myself, because any bugs filed
against it are likely not going to get nitpicked and included as
fixes because there's no mechanism to really separately maintain
modsecurity outside of the nginx source package.</p>
<p><br>
------<br>
</p>
<p>Thomas<br>
Ubuntu Server Team Member<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 8/16/20 6:55 AM, Niels Kristensen
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALbB6a-BBxEA5Fj9c+7wg+9hvKJ=yRggA4g9Hp63jB8XCi-quQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi!
<div><br>
</div>
<div>I've been looking for the best way to maintain a deb
package for the ModSecurity dynamic Nginx module: <a
href="https://github.com/SpiderLabs/ModSecurity-nginx"
moz-do-not-send="true">https://github.com/SpiderLabs/ModSecurity-nginx</a></div>
<div><br>
</div>
<div>I'm not experienced with packaging for Ubuntu, so I'm not
sure if the Universe repository is the best place, or if it's
a PPA.</div>
<div><br>
</div>
<div>I've looked at the other packages for dynamic Nginx modules
in Universe (libnginx-mod-*), and it seems like they are
compiled using the same deb source package, so I thought that
it might be a good place to add the ModSecurity module as
well. What do you think?</div>
<div><br>
</div>
<div>There is already something out there for building a deb
package of the module for 18.04 <a
href="https://github.com/phusion/nginx-modsecurity-ubuntu"
moz-do-not-send="true">https://github.com/phusion/nginx-modsecurity-ubuntu</a>
but it is not maintained anymore.<br>
</div>
<div><br>
</div>
<div>Br Niels</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
</body>
</html>
[Attachment #6 (text/plain)]
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic