Ubuntu
nginx package

Add Zstd compression module

Bug #1829383 reported by Paweł Krawczyk
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
New
Wishlist
Unassigned

Bug Description

These two modules are now pretty mainstream and should be available within Ubuntu repo (e.g. nginx-extras line):

https://github.com/tokers/zstd-nginx-module

https://github.com/google/ngx_brotli (REJECTED, see comments --teward)

See original description
Revision history for this message
Thomas Ward (teward) wrote :

Brotli was rejected for inclusion in Ubuntu NGINX after discussion with the Security Team. This was discussed in https://answers.launchpad.net/ubuntu/+source/nginx/+question/678209 There has been no movement in Security Team concerns or any effort to fix a variant of BREACH that is still present in Brotli compression, therefore Brotli remains rejected for inclusion under the same reasoning that was provided back in January.

zstd has not been vetted yet. This requires Security team consultation before it can be continued.

Per Bug Processing guidelines I am setting this bug as "New" and "Wishlist" importance.

Changed in nginx (Ubuntu):
importance: Undecided → Wishlist
summary: - Add Brotli and Zstd compression modules
+ Add Zstd compression module
description: updated
Revision history for this message
Paweł Krawczyk (pawel-krawczyk) wrote :

Thank you, makes perfect sense. I have preemptively suggested improvements to the zstd module to avoid repeating the issues with brotli.

Revision history for this message
Thomas Ward (teward) wrote :

Going back to Brotli, though, because I did double check with the Sec Team:

I have consulted with Seth Arnold on the Security Team, and given the Code Bugs identified in Brotli still (and not unfixed), Brotli remains in the "Not Suitable for Inclusion" list. Therefore, Brotli will not be considered.

(Still have to look at zstd, but... they busy, the Security Team...)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.