Add --with-compat to NGINX packages

Bug #1797897 reported by Thomas Ward on 2018-10-15
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Nginx
Wishlist
Thomas Ward
Mainline
Wishlist
Thomas Ward
Stable
Wishlist
Thomas Ward
nginx (Debian)
New
Unknown
nginx (Ubuntu)
Status tracked in Disco
Cosmic
Wishlist
Thomas Ward
Disco
Wishlist
Thomas Ward

Bug Description

Adding --with-compat would allow for those compiling dynamic modules separately to include them in the NGINX packages.

This should be considered for Ubuntu and Debian as well.

Thomas Ward (teward) on 2018-10-15
Changed in nginx:
status: Triaged → In Progress
Changed in nginx (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
summary: - Add --with-compat to PPA packages
+ Add --with-compat to NGINX packages
Thomas Ward (teward) wrote :

I realized in IRC I failed to explain properly what happens here.

Related:
https://forum.nginx.org/read.php?29,270210,270213#msg-270213 and
http://mailman.nginx.org/pipermail/nginx-devel/2018-May/011119.html

IN a nut-shell, what --with-compat does is allow people who build NGINX dynamic modules against NGINX in a separate compilation to take their compiled .so modules and include them in the NGINX versions on Ubuntu on their local machine. It would allow someone who, say, built modsecurity for NGINX dynamically and separately to `include` the configuration to enable the modsecurity module for NGINX without having to recompile and install manually alongside it the entire NGINX binary and all the other modules.

From a Security perspective, the only concern would be that third-party modules could be built dynamically then included and activated in individual users' NGINX builds on their own systems. As that happens separately from the NGINX package in Ubuntu, any issues stemming from such inclusions are "End User Problems" and not directly related to the NGINX packages in Ubuntu.

This has some considerations before it gets inserted, as to whether we want users to be able to dynamically compile and include extra modules outside of the binaries we ship already.

However, this bug and the request was prompted thanks to an uptick in requests (10 over 2 days from 10 separate individuals) in my email to enable this functionality both for the PPAs and for Ubuntu.

Seth Arnold (seth-arnold) wrote :

This sounds like a good idea to me. I can understand that nginx upstream might not want this as a default because it sounds like it'll burn memory in structures, but it sounds wonderful for a general purpose distribution with a variety of users who all want something slightly different out of their webserver.

Thanks

Thomas Ward (teward) wrote :

Note that for Ubuntu, this will not be done for Cosmic - we are too late in the dev cycle to do this for Cosmic, so any changes to this which would add this to the Ubuntu packages will be for D-series (whatever it is named). This needs discussed first, however, before it gets included in the Ubuntu Repositories' versions of NGINX.

The PPAs operate independently and will have the fix whenever the next 'upload' to the PPAs happens.

Robie Basak (racb) wrote :

> ...as to whether we want users to be able to dynamically compile and include extra modules outside of the binaries we ship already.

If we can get with this no downsides, then +1. I agree with Seth's comment.

Thomas Ward (teward) wrote :

We are too close to Cosmic release to get this into Cosmic (Won't Fix'd for Cosmic). This will be included in the D-series cycle for Ubuntu.

Changed in nginx (Ubuntu):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Cosmic):
status: Triaged → Won't Fix
Thomas Ward (teward) wrote :

Mainline PPA packages are building with --with-compat in the staging PPA, if all goes well I'll copy it over to the actual Mainline PPA.

Stable PPA is in progress but more slowly due to other work requirements.

Thomas Ward (teward) wrote :

Stable PPA packages are now building with --with-compat in the staging PPA, they'll be copied over if all goes well to the main Stable PPA as well.

Ubuntu changes are on hold until D-series cycle opens.

Thomas Ward (teward) wrote :

PPAs now have --with-compat enabled. Updated packages are copying in from the staging PPAs now.

Changed in nginx:
status: In Progress → Fix Released
Thomas Ward (teward) on 2018-10-30
Changed in nginx (Ubuntu Disco):
status: Triaged → In Progress
Changed in nginx (Debian):
status: Unknown → New
Thomas Ward (teward) wrote :

A packaging change containing the --with-compat change has been committed to disco-proposed, along with security patch fixes via the newer nginx version for bugs #1801982 and #1801983.

Changed in nginx (Ubuntu Disco):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.15.6-0ubuntu1

---------------
nginx (1.15.6-0ubuntu1) disco; urgency=medium

  * New upstream release (1.15.6) - full changelog available from
    http://nginx.org/en/CHANGES
  * Remaining Ubuntu-specific changes:
    - debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
    - d/{control,rules,nginx-core.*}: add new binary package for main,
      nginx-core, which contains only source-tarball-included modules
      and no third-party modules.
    - debian/tests/control: add nginx-core test.
    - debian/apport/source_nginx.py: Add apport hooks for additional bug
      information gathering.
    - debian/nginx-common.install: Add install rule for apport hooks.
    - d/nginx-{core,light,full,extras}.postinst: Add checks for whether
      port 80 is in use or not to determine whether or not to attempt
      starting of the NGINX service during install/upgrade
    - d/control: Add dependencies to nginx-{core,light,full,extras} on
      `iproute2` as the postinst scripts now use `ss` to determine if
      Port 80 is open or not.
    - d/rules: Enable --with-compat build option for all nginx package
      flavors (LP: #1797897)

 -- Thomas Ward <email address hidden> Tue, 13 Nov 2018 10:10:45 -0500

Changed in nginx (Ubuntu Disco):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.