Packaging libnginx-mod-http-modsecurity

Thomas Ward teward at ubuntu.com
Wed Aug 19 00:33:36 UTC 2020 

Hiya, Niels!

This discussion came up a while ago as to whether to ship it with Ubuntu
or not.  A long while ago back in the 14.04 cycle, a similar module,
called nginx-naxsi, was shipped in the Ubuntu packaging of NGINX.  It
was also shipped in Debian.  Maintaining this was considered too
difficult because every single bug required a complete recompile of
nginx and yet another package version to be released just to fix a minor
bug in the software, not to mention keeping it in line with the proper
NGINX version became too tiresome and Debian dropped NAXSI (which
trickled down to Ubuntu during the 15.04 release cycle).

We've had this question come up several times in the recent two cycles
on private direct mailing lists with me and a few others on the server
team, and among the Server team and myself (as well as the Ubuntu
Security Team), we decided against packaging modsecurity ourselves using
a similar justification that existed with NAXSI.

Right now, I have this justification against packaging ModSecurity in
Ubuntu's repositories:

    1.    Nobody on the server team, including myself, uses nginx with
ModSecurity,

    2.    Maintaining ModSecurity as a separate package is not feasible
because the only way to build dynamic modules is to compile them
alongside NGINX source code at the same time and then get the compiled
.so binary module and extract it from build for the binary package that
installs it, and NGINX does not currently provide a way for packagers to
have access to the source system other than compiling NGINX from scratch
(or as part of a packaging build process which this is part of one of
the steps), which in turn requires that the Ubuntu Server Team (or
myself, or both) have to help maintain the package *including*
ModSecurity as part of the nginx source package

    3.    If ModSecurity has a security vulnerability that affects older
versions of ModSecurity than latest, backporting security fixes has to
be **guaranteed** to be done for any version shipped in Ubuntu for five
years by upstream, which tends to give the upstream software developers
strife,

    4.    There has been no extra justification thus far as to how this
is globally beneficial in a way that doesn't add extra difficulty in
long term maintaining of the nginx software in Universe or by the Server
or Security teams.  (especially in Universe, where security patches are
community-provided and not done by the Ubuntu Security Team regularly),

    5.    Debian does not ship modsecurity with NGINX, and as a result
we don't, so adding modsecurity would add a significant delta to the
packaging and further diverge from Debian heavily.

Primarily because of points two and five, I have been heavily against
adding new third-party modules and such to the nginx source code unless
absolutely necessary to make some functionality replaceable (such as the
libnginx-mod-http-geoip2 module which we added for GeoIP 2 library
support, something Upstream would not do, and that was later picked up
in Debian recently so the delta was significantly reduced).

While I don't speak for the entire Server team, I'm not sure the Server
Team as a whole would want to commit to supporting modsecurity in nginx
on top of the other third party modules we already have to look after in
the packaging.  You may want to check with Debian first, and ask if
Debian wants to include modsecurity in NGINX.  If they wish to, they can
import it into their packaging, and for us we'll pick it up in the next
Ubuntu cycle (21.04 most likely), and then it'll be available in
Ubuntu.  But we usually are wanting to check if Debian wants to support
it heavily as well.  My historical insights into this is that's been
discussed and rejected in Debian but you're free to ask the nginx
maintainers in Debian that question as well with a Debian bug.


My two cents for right now, but maintaining modsecurity in nginx could
introduce more headaches for maintaining things in the future for the
Server Team and myself, because any bugs filed against it are likely not
going to get nitpicked and included as fixes because there's no
mechanism to really separately maintain modsecurity outside of the nginx
source package.


------

Thomas
Ubuntu Server Team Member


On 8/16/20 6:55 AM, Niels Kristensen wrote:
> Hi!
>
> I've been looking for the best way to maintain a deb package for the
> ModSecurity dynamic Nginx module:
> https://github.com/SpiderLabs/ModSecurity-nginx
>
> I'm not experienced with packaging for Ubuntu, so I'm not sure if the
> Universe repository is the best place, or if it's a PPA.
>
> I've looked at the other packages for dynamic Nginx modules in
> Universe (libnginx-mod-*), and it seems like they are compiled using
> the same deb source package, so I thought that it might be a good
> place to add the ModSecurity module as well. What do you think?
>
> There is already something out there for building a deb package of the
> module for 18.04 https://github.com/phusion/nginx-modsecurity-ubuntu
> but it is not maintained anymore.
>
> Br Niels
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20200818/c9db31c1/attachment.html>

More information about the Ubuntu-devel-discuss mailing list