[MIR] nginx
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Availability:
nginx is built and available on all current architectures in Trusty (I'm not considering ppc64el "current" yet).
Rationale:
nginx is increasingly relevant to the Web 2.0 crowd, who are key users of Ubuntu Server. apache2 exists and we want to keep it in main also, there seems to be a split in userbase between those who use Apache (traditional) and those who use nginx (newer stacks). nginx seems to have gained a reputation for being fast and lightweight. This may or may not be true when compared against Apache, but many stacks today are deployed on nginx, and we are hearing that this is what users want and are running today. Therefore, we should have nginx in main to keep Ubuntu Server relevant to these users.
Security:
nginx supplies a public-facing daemon and listens on a privileged port, so needs a more in-depth security review. I hear that nginx was previously declined in main due to security concerns, but have been unable to find a previous MIR. I understand that the security team are prepared to re-review and determine how nginx's security status may have changed if I file this new MIR to track such a review.
This list of CVEs is not comprehensive; nginx has an extensive security history and this MIR requires an detailed security review.
A recently discovered vulnerability was CVE-2013-4547. This was addressed in Debian within a couple of days (http://
Other oustanding CVEs:
* CVE-2011-4968: this is a security-related missing feature, rather than a vulnerability per se. It's certainly debatable. It can only sensibly be addressed upstream. Debian don't deem it necessary to fix; I don't think Ubuntu needs to either.
* CVE-2013-0337: in progress in Debian for the upgrade path.
* CVE-2013-2070: Debian status in http://
Stronger SSL configuration by default: pending testing and upload in http://
Quality assurance:The Debian maintainers appear active and responsive to bug reports. Thomas Ward has been active watching the Ubuntu package, cherry-picking fixes from Debian, keeping an eye on security fixes and generally keeping the nginx package in Ubuntu up-to-date. If nginx enters main, then Thomas has said that he'll continue to look after the package as best he can, and the rest of the Ubuntu Server Team has committed to back him up where necessary.
Some non-standard packaging behaviour that is not mandated otherwise by policy:
* The service doesn't start automatically when the nginx package is first installed; you must use "sudo service nginx start" the first time. But the service does automatically restart on upgrade, etc, if the daemon was already running. invoke-rc.d is used correctly. This packaging behaviour appears to be intentional.
* /var/www is not the default document root, nor /var/www/html (the proposed new standard). Instead, it is/usr/
Apart from this, the package works straight away as a typical nginx user would expect.
No debconf templates. No major long-term outstanding bugs. As a popular package there are a number of long-term outstanding bugs, but these all appear to relate to edge case behaviours or feature requests that do not affect the majority of nginx users.
nginx appears active both upstream and in Debian and appears to be maintained well, with regular uploads in Debian over 2013, including wheezy security updates. A debian/watch file exists, appears functional, and the latest upstream version is packaged. There does not appear to be a relevant upstream test suite.
-dbg packages exist. Question: do these need ddeb generation for Ubuntu instead? What is our policy here?
UI standards: N/A for this server package
Dependencies:
* Build-Depends: liblua5.1-dev is only fulfilled by universe. Removing this will clearly drop lua support, but nginx will still work fine. Can lua support be dropped from nginx without disproportionate impact to users?
* The nginx-naxsi-ui binary package depends on daemon, which is in universe, but nothing depends, recommends or suggests nginx-naxsi-ui. Can nginx-naxsi-ui be kept in universe, with the other components in main?
FHS compliance: the packaging appears FHS compliant. Debian policy compliance: nginx claims compliance to 3.9.4; current policy is 3.9.5. The packaging uses traditional debhelper and appears do be done in a straightforward way; though necessarily a little more complicated than usual due to the multiple binary packages with different build configurations, as might be expected with this sort of package.
http://
~ubuntu-server will commit to monitor and maintain nginx in main, with the help of Thomas Ward.
Changed in nginx (Ubuntu): | |
milestone: | none → ubuntu-14.04-beta-1 |
Changed in nginx (Ubuntu): | |
assignee: | Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold) |
It seems that we have to drop lua from the nginx build as a cost of moving nginx to main. If we do this, then the following debdiff appears to work. debian/control should also have the nginx-extras binary package description changed to not claim that Lua is included.