Hiya, Niels! This discussion came up a while ago as to whether to ship it with Ubuntu or not. A long while ago back in the 14.04 cycle, a similar module, called nginx-naxsi, was shipped in the Ubuntu packaging of NGINX. It was also shipped in Debian. Maintaining this was considered too difficult because every single bug required a complete recompile of nginx and yet another package version to be released just to fix a minor bug in the software, not to mention keeping it in line with the proper NGINX version became too tiresome and Debian dropped NAXSI (which trickled down to Ubuntu during the 15.04 release cycle).
We've had this question come up several times in the recent two cycles on private direct mailing lists with me and a few others on the server team, and among the Server team and myself (as well as the Ubuntu Security Team), we decided against packaging modsecurity ourselves using a similar justification that existed with NAXSI. Right now, I have this justification against packaging ModSecurity in Ubuntu's repositories: 1. Nobody on the server team, including myself, uses nginx with ModSecurity, 2. Maintaining ModSecurity as a separate package is not feasible because the only way to build dynamic modules is to compile them alongside NGINX source code at the same time and then get the compiled .so binary module and extract it from build for the binary package that installs it, and NGINX does not currently provide a way for packagers to have access to the source system other than compiling NGINX from scratch (or as part of a packaging build process which this is part of one of the steps), which in turn requires that the Ubuntu Server Team (or myself, or both) have to help maintain the package *including* ModSecurity as part of the nginx source package 3. If ModSecurity has a security vulnerability that affects older versions of ModSecurity than latest, backporting security fixes has to be **guaranteed** to be done for any version shipped in Ubuntu for five years by upstream, which tends to give the upstream software developers strife, 4. There has been no extra justification thus far as to how this is globally beneficial in a way that doesn't add extra difficulty in long term maintaining of the nginx software in Universe or by the Server or Security teams. (especially in Universe, where security patches are community-provided and not done by the Ubuntu Security Team regularly), 5. Debian does not ship modsecurity with NGINX, and as a result we don't, so adding modsecurity would add a significant delta to the packaging and further diverge from Debian heavily. Primarily because of points two and five, I have been heavily against adding new third-party modules and such to the nginx source code unless absolutely necessary to make some functionality replaceable (such as the libnginx-mod-http-geoip2 module which we added for GeoIP 2 library support, something Upstream would not do, and that was later picked up in Debian recently so the delta was significantly reduced). While I don't speak for the entire Server team, I'm not sure the Server Team as a whole would want to commit to supporting modsecurity in nginx on top of the other third party modules we already have to look after in the packaging. You may want to check with Debian first, and ask if Debian wants to include modsecurity in NGINX. If they wish to, they can import it into their packaging, and for us we'll pick it up in the next Ubuntu cycle (21.04 most likely), and then it'll be available in Ubuntu. But we usually are wanting to check if Debian wants to support it heavily as well. My historical insights into this is that's been discussed and rejected in Debian but you're free to ask the nginx maintainers in Debian that question as well with a Debian bug. My two cents for right now, but maintaining modsecurity in nginx could introduce more headaches for maintaining things in the future for the Server Team and myself, because any bugs filed against it are likely not going to get nitpicked and included as fixes because there's no mechanism to really separately maintain modsecurity outside of the nginx source package. ------ Thomas Ubuntu Server Team Member On 8/16/20 6:55 AM, Niels Kristensen wrote: > Hi! > > I've been looking for the best way to maintain a deb package for the > ModSecurity dynamic Nginx module: > https://github.com/SpiderLabs/ModSecurity-nginx > > I'm not experienced with packaging for Ubuntu, so I'm not sure if the > Universe repository is the best place, or if it's a PPA. > > I've looked at the other packages for dynamic Nginx modules in > Universe (libnginx-mod-*), and it seems like they are compiled using > the same deb source package, so I thought that it might be a good > place to add the ModSecurity module as well. What do you think? > > There is already something out there for building a deb package of the > module for 18.04 https://github.com/phusion/nginx-modsecurity-ubuntu > but it is not maintained anymore. > > Br Niels >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
