| 2020-03-12 13:39:23 |
Andreas Hasenack |
bug |
|
|
added bug |
| 2020-03-12 13:40:53 |
Andreas Hasenack |
description |
In MIR bug #1861101 we want to bring into main the geoip2 library src:libmaxminedb. The MIR team agreed to that with some conditions, one of which is to demote the geoip1 legacy version of the library (src:geoip) in order to not have both in main. bin:libnginx-mod-http-geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no longer uses the legacy geoip1 library, and has switched to the supported geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the geoip features in focal. But it's also an opportunity to switch away from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that can't happen immediately because the source code for libnginx-mod-http-geoip2 does not come from nginx itself[1][2], and thus is not subject to the MIR that brought nginx into main a while ago. We can't pull bin:libnginx-mod-http-geoip2 into main without another MIR for just that module, which will require a security review. I will file an MIR for that anyway, but we expect the security review to not get done in time for focal.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to universe. This will allow src:geoip (the geoip1 legacy library) to be demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any nginx geoip modules, legacy or otherwise, and thus represents a feature change.
I added a release notes task to the MIR bug #1861101 and the following scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-geoip, if someone got it by installing bin:nginx-core, an "apt autoremove" might suggest that bin:libnginx-mod-http-geoip can be removed. If this happens, and there are still geoip configuration directives somewhere in /etc/nginx/**, nginx will fail to restart. Note that this would also happen had we replaced bin:libnginx-mod-http-geoip with bin:libnginx-mod-http-geoip2, as the configuration directives are different
b) If someone has just main enabled in < focal, with bin:nginx-core and bin:libnginx-mod-http-geoip installed, and release upgrades to focal, libnginx-mod-http-geoip won't be upgraded because it's in focal/universe.
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18 |
In MIR bug #1861101 we want to bring into main the geoip2 library src:libmaxminedb. The MIR team agreed to that with some conditions, one of which is to demote the geoip1 legacy version of the library (src:geoip) in order to not have both in main. bin:libnginx-mod-http-geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no longer uses the legacy geoip1 library, and has switched to the supported geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the geoip features in focal. But it's also an opportunity to switch away from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that can't happen immediately because the source code for libnginx-mod-http-geoip2 does not come from nginx itself[1][2], and thus is not subject to the MIR that brought nginx into main a while ago. We can't pull bin:libnginx-mod-http-geoip2 into main without another MIR for just that module, which will require a security review. I will file an MIR for that anyway, but we expect the security review to not get done in time for focal.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to universe. This will allow src:geoip (the geoip1 legacy library) to be demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any nginx geoip modules, legacy or otherwise, and thus represents a feature change.
I added a release notes task to the MIR bug #1861101 and the following scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-geoip, if someone got it by installing bin:nginx-core, an "apt autoremove" might suggest that bin:libnginx-mod-http-geoip can be removed. If this happens, and there are still geoip configuration directives somewhere in /etc/nginx/**, nginx will fail to restart. Note that this would also happen had we replaced bin:libnginx-mod-http-geoip with bin:libnginx-mod-http-geoip2, as the configuration directives are different
b) If someone has just main enabled in < focal, with bin:nginx-core and bin:libnginx-mod-http-geoip installed, and release upgrades to focal, libnginx-mod-http-geoip won't be upgraded because it's in focal/universe.
Attached is the proposed change to nginx, from https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18 |
|
| 2020-03-12 13:41:38 |
Andreas Hasenack |
attachment added |
|
nginx-nogeoip.debdiff https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1867150/+attachment/5336128/+files/nginx-nogeoip.debdiff |
|
| 2020-03-12 13:42:50 |
Andreas Hasenack |
description |
In MIR bug #1861101 we want to bring into main the geoip2 library src:libmaxminedb. The MIR team agreed to that with some conditions, one of which is to demote the geoip1 legacy version of the library (src:geoip) in order to not have both in main. bin:libnginx-mod-http-geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no longer uses the legacy geoip1 library, and has switched to the supported geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the geoip features in focal. But it's also an opportunity to switch away from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that can't happen immediately because the source code for libnginx-mod-http-geoip2 does not come from nginx itself[1][2], and thus is not subject to the MIR that brought nginx into main a while ago. We can't pull bin:libnginx-mod-http-geoip2 into main without another MIR for just that module, which will require a security review. I will file an MIR for that anyway, but we expect the security review to not get done in time for focal.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to universe. This will allow src:geoip (the geoip1 legacy library) to be demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any nginx geoip modules, legacy or otherwise, and thus represents a feature change.
I added a release notes task to the MIR bug #1861101 and the following scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-geoip, if someone got it by installing bin:nginx-core, an "apt autoremove" might suggest that bin:libnginx-mod-http-geoip can be removed. If this happens, and there are still geoip configuration directives somewhere in /etc/nginx/**, nginx will fail to restart. Note that this would also happen had we replaced bin:libnginx-mod-http-geoip with bin:libnginx-mod-http-geoip2, as the configuration directives are different
b) If someone has just main enabled in < focal, with bin:nginx-core and bin:libnginx-mod-http-geoip installed, and release upgrades to focal, libnginx-mod-http-geoip won't be upgraded because it's in focal/universe.
Attached is the proposed change to nginx, from https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18 |
In MIR bug #1861101 we want to bring into main the geoip2 library src:libmaxminedb. The MIR team agreed to that with some conditions, one of which is to demote the geoip1 legacy version of the library (src:geoip) in order to not have both in main. bin:libnginx-mod-http-geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no longer uses the legacy geoip1 library, and has switched to the supported geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the geoip features in focal. But it's also an opportunity to switch away from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that can't happen immediately because the source code for libnginx-mod-http-geoip2 does not come from nginx itself[1][2], and thus is not subject to the MIR that brought nginx into main a while ago. We can't pull bin:libnginx-mod-http-geoip2 into main without another MIR for just that module, which will require a security review. I will file an MIR for that anyway, but we expect the security review to not get done in time for focal.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to universe. This will allow src:geoip (the geoip1 legacy library) to be demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any nginx geoip modules, legacy or otherwise, and thus represents a feature change.
I added a release notes task to the MIR bug #1861101 and the following scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-geoip, if someone got it by installing bin:nginx-core, an "apt autoremove" might suggest that bin:libnginx-mod-http-geoip can be removed. If this happens, and there are still geoip configuration directives somewhere in /etc/nginx/**, nginx will fail to restart. Note that this would also happen had we replaced bin:libnginx-mod-http-geoip with bin:libnginx-mod-http-geoip2, as the configuration directives are different
b) If someone has just main enabled in < focal, with bin:nginx-core and bin:libnginx-mod-http-geoip installed, and release upgrades to focal, libnginx-mod-http-geoip won't be upgraded because it's in focal/universe.
Attached is the proposed change to nginx, from https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
PPA with a test build, together with bind9 already linking with libmaxminddb:
https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-geoip
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18 |
|
| 2020-03-12 13:43:01 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Release Team |
| 2020-03-16 15:41:24 |
Andreas Hasenack |
description |
In MIR bug #1861101 we want to bring into main the geoip2 library src:libmaxminedb. The MIR team agreed to that with some conditions, one of which is to demote the geoip1 legacy version of the library (src:geoip) in order to not have both in main. bin:libnginx-mod-http-geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no longer uses the legacy geoip1 library, and has switched to the supported geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the geoip features in focal. But it's also an opportunity to switch away from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that can't happen immediately because the source code for libnginx-mod-http-geoip2 does not come from nginx itself[1][2], and thus is not subject to the MIR that brought nginx into main a while ago. We can't pull bin:libnginx-mod-http-geoip2 into main without another MIR for just that module, which will require a security review. I will file an MIR for that anyway, but we expect the security review to not get done in time for focal.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to universe. This will allow src:geoip (the geoip1 legacy library) to be demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any nginx geoip modules, legacy or otherwise, and thus represents a feature change.
I added a release notes task to the MIR bug #1861101 and the following scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-geoip, if someone got it by installing bin:nginx-core, an "apt autoremove" might suggest that bin:libnginx-mod-http-geoip can be removed. If this happens, and there are still geoip configuration directives somewhere in /etc/nginx/**, nginx will fail to restart. Note that this would also happen had we replaced bin:libnginx-mod-http-geoip with bin:libnginx-mod-http-geoip2, as the configuration directives are different
b) If someone has just main enabled in < focal, with bin:nginx-core and bin:libnginx-mod-http-geoip installed, and release upgrades to focal, libnginx-mod-http-geoip won't be upgraded because it's in focal/universe.
Attached is the proposed change to nginx, from https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
PPA with a test build, together with bind9 already linking with libmaxminddb:
https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-geoip
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18 |
In MIR bug #1861101 we want to bring into main the geoip2 library src:libmaxminedb. The MIR team agreed to that with some conditions, one of which is to demote the geoip1 legacy version of the library (src:geoip) in order to not have both in main. bin:libnginx-mod-http-geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no longer uses the legacy geoip1 library, and has switched to the supported geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the geoip features in focal. But it's also an opportunity to switch away from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that can't happen immediately because the source code for libnginx-mod-http-geoip2 does not come from nginx itself[1][2], and thus is not subject to the MIR that brought nginx into main a while ago. We can't pull bin:libnginx-mod-http-geoip2 into main without another MIR for just that module, which will require a security review. I will file an MIR for that anyway, but we expect the security review to not get done in time for focal. UPDATE: that MIR is bug #1867198.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to universe. This will allow src:geoip (the geoip1 legacy library) to be demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any nginx geoip modules, legacy or otherwise, and thus represents a feature change.
I added a release notes task to the MIR bug #1861101 and the following scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-geoip, if someone got it by installing bin:nginx-core, an "apt autoremove" might suggest that bin:libnginx-mod-http-geoip can be removed. If this happens, and there are still geoip configuration directives somewhere in /etc/nginx/**, nginx will fail to restart. Note that this would also happen had we replaced bin:libnginx-mod-http-geoip with bin:libnginx-mod-http-geoip2, as the configuration directives are different
b) If someone has just main enabled in < focal, with bin:nginx-core and bin:libnginx-mod-http-geoip installed, and release upgrades to focal, libnginx-mod-http-geoip won't be upgraded because it's in focal/universe.
Attached is the proposed change to nginx, from https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
PPA with a test build, together with bind9 already linking with libmaxminddb:
https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-geoip
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18 |
|
| 2020-03-16 16:13:34 |
Ćukasz Zemczak |
nginx (Ubuntu): status |
New |
Triaged |
|
| 2020-03-17 01:04:36 |
Launchpad Janitor |
nginx (Ubuntu): status |
Triaged |
Fix Released |
|
