Outdated naxsi version, incorrect learning tools included in packages

This bug was misfiled, this is an issue with the PPAs.

The PPAs are behind because I haven't had a chance to update the PPAs yet. I'll see if I can get to it tomorrow.

If after the PPAs are updated, this still applies, comment on the bug.

Sorry for misfiling the bug, this is more or less my first non-casual launchpad visit and my first time as a bug reporter. It's not always trivial to find your way around.

As I understand, this issue is inherited from the upstream debian package, but it turned out to be even more non-trivial to file a bug report with them.

Perhaps you could share any changes and the reason making them with upstream?

I'll look at the changes made once committed and released and pitch in any info/knowledge I may have on the matter.

Last I checked, Debian is ahead of the PPAs and Ubuntu. It may be possible they already updated the naxsi version already.

If that is not the case I'll forward this bug to Debian.

Thomas
LP: ~teward

Ove, please check the 1.6.0 upload that I just made to the Stable PPA. It may take a little bit to show up, but it will be there, as 1.6.x is now the stable branch.

If this bug still applies there, please change the status of this bug from "Incomplete" to "New" and then if I confirm it's out of date, I'll forward this bug to Debian.

A quick look at the source file http://ppa.launchpad.net/nginx/stable/ubuntu/pool/main/n/nginx/nginx_1.6.0-1+trusty0.debian.tar.gz tells me that the naxsi version is still the same and there is still as far as can see a discrepancy between naxsi version and the learning/white-list tools included.

I left a comment in bug #1168720 , I think the root cause for the problem described in that bug is also due to difference between white-list tool and version of naxsi, although in that bug it's the current white-list tool being used to generate white-list rules for the older version of naxsi included in the nginx-naxsi package.

An upgrade of the naxsi version included would be very desirable if changes are made.

To my knowledge there are extensions to the naxsi config-file format between 0.50.0 and 0.53-2 but not the same compatibility issues that have been seen in combination with previous version upgrades of naxsi. Authoritative answer to this question is best found at the naxsi upstream, https://github.com/nbs-system/naxsi

I think this naxsi faq answer is relevant with regards to this bug-report: https://github.com/nbs-system/naxsi/wiki/faq#Why_do_you_keep_radically_changing_learning_tools_

I'll change the bug status to new.

Thank you for your time and effort!

Changing status to new as requested after inspecting current status.

Bug forwarded to Debian, as it also needs fixing there. I've linked to the Debian bug here on the Launchpad system, so the Debian status will be seen here as well.

When I take a look at the debian bug report page I think I know how Merry and Pippin must have felt when they first met the ents.

After a brief look at the build process it doesn't look overly complicated to do the actual work and bundle the latest released stable version of naxsi and the corresponding learning/white-list tool, I would be happy to provide a patch if requested or invited.

But some package reorganization would be required and I guess this is just like my normal life, I don't get to decide what goes into where and when.

Are there any formal policy documents that can be uses as guidelines for an issue like this? Or is there any place were such issues are discussed?

As of now I consider the state of nginx and naxsi broken for anything but simple use-cases, and it's very confusing when a naxsi proselyte tries to read up on why things don't work and all the information you can find doesn't look or behave like the installation that is done by these packages .

Is the debian upstream package the proper place to try to fix this issue or could it be done using the ubuntu package version and afterwards "push" the change-set upstream?

Don't forget, there's three entities involved in this:
(1) Debian, where the PPA and Ubuntu packages are based off of.
(2) Ubuntu, which is based off the Debian packages
(3) The PPAs, which will very rarely differ from the Debian packages.

What we'd be doing is changing the PPAs, and then hoping for a retroactive change in Debian. Unfortunately, as the primary PPA maintainer, I don't have any say in what Debian does or doesn't do, I just forward the bugs up to them when their packaging is affected. In this case, their packaging is affected, so having a delta between the PPAs and Debian adds work for me because then I have to nit-pick the merging of changes when I update the PPA later. It's easier from a maintenance standpoint to keep everything in sync with Debian for now. Especially since this bug affects Debian.

As for Ubuntu, there's a whole separate workflow for that, and right now I want to let things settle from the 14.04 release.

I do perceive the debian-devs as older, wiser, with a language that's hard to understand, caught up in their own business of protecting the linux world in ways I as an ordinary user don't always understand ... and since they are creatures of immense powers, they are better left undisturbed.

I'm not a clever man, but if I read you correctly you are telling me to head over to debian and try fix the naxsi issues over at their place?

Is it that a quest hobbits like myself can succeed at or is it best to the let the ents discuss the issue among themselves?

Thomas: Don't forget that patching the PPA first is also a way that you can test a change and send us a debdiff that we can use to more quickly the bug you reported in Debian resolved.

Ove: No, your work beyond testing and verifying a resolution is finished unless you choose to try to fix things yourself.

I consider naxsi to be a higher priority than the convenience of packages and updates handled by a distributor and I already compiled/installed nginx - including latest stable naxsi version and nx_util.py as white-list tool. It is not a difficult task for a one-time installation.

The current deb/ubuntu packaging of naxsi can be improved. At a quick glance it appears as the current nginx packagers aren't using naxsi themselves - or at least not frequently modifying white-lists and rule sets.

I was hoping that I could help other users and give something back to my peers by offering any knowledge I may have picked up along the way.

Please let me know if, how and where I can be of any assistance.

I have updated the bug status here in accordance with the Debian bug. (This is done because the PPAs are effectively the Debian packages just rebuilt for Ubuntu, and the idea is to keep almost no delta between them.)

According to the Debian bug, the Debian maintainers are no longer providing support for naxsi and have plans to drop the naxsi packages. The following is a quote from one of the maintainers on this issue (source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746199#18):

"After discussing it with the fellow maintainers we have decided that it is
better to remove the nginx-naxsi package before jessie is freezed.

Packaging naxsi is not trivial and, unfortunately, none of the maintainers uses
it. That's the reason nginx-naxsi is not in a good shape and we are not feeling
comfortable to release and support it.

We are sorry for any inconvenience caused."