<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hiya, Niels!</p>
<p>This discussion came up a while ago as to whether to ship it with
Ubuntu or not. A long while ago back in the 14.04 cycle, a
similar module, called nginx-naxsi, was shipped in the Ubuntu
packaging of NGINX. It was also shipped in Debian. Maintaining
this was considered too difficult because every single bug
required a complete recompile of nginx and yet another package
version to be released just to fix a minor bug in the software,
not to mention keeping it in line with the proper NGINX version
became too tiresome and Debian dropped NAXSI (which trickled down
to Ubuntu during the 15.04 release cycle).</p>
<p>We've had this question come up several times in the recent two
cycles on private direct mailing lists with me and a few others on
the server team, and among the Server team and myself (as well as
the Ubuntu Security Team), we decided against packaging
modsecurity ourselves using a similar justification that existed
with NAXSI.</p>
<p>Right now, I have this justification against packaging
ModSecurity in Ubuntu's repositories:</p>
<p>   1.   Nobody on the server team, including myself, uses nginx
with ModSecurity,</p>
<p>   2.   Maintaining ModSecurity as a separate package is not
feasible because the only way to build dynamic modules is to
compile them alongside NGINX source code at the same time and then
get the compiled .so binary module and extract it from build for
the binary package that installs it, and NGINX does not currently
provide a way for packagers to have access to the source system
other than compiling NGINX from scratch (or as part of a packaging
build process which this is part of one of the steps), which in
turn requires that the Ubuntu Server Team (or myself, or both)
have to help maintain the package *including* ModSecurity as part
of the nginx source package<br>
</p>
<p>   3.   If ModSecurity has a security vulnerability that
affects older versions of ModSecurity than latest, backporting
security fixes has to be **guaranteed** to be done for any version
shipped in Ubuntu for five years by upstream, which tends to give
the upstream software developers strife,</p>
<p>   4.   There has been no extra justification thus far as to
how this is globally beneficial in a way that doesn't add extra
difficulty in long term maintaining of the nginx software in
Universe or by the Server or Security teams. (especially in
Universe, where security patches are community-provided and not
done by the Ubuntu Security Team regularly),</p>
<p>   5.   Debian does not ship modsecurity with NGINX, and as a
result we don't, so adding modsecurity would add a significant
delta to the packaging and further diverge from Debian heavily.<br>
</p>
<p>Primarily because of points two and five, I have been heavily
against adding new third-party modules and such to the nginx
source code unless absolutely necessary to make some functionality
replaceable (such as the libnginx-mod-http-geoip2 module which we
added for GeoIP 2 library support, something Upstream would not
do, and that was later picked up in Debian recently so the delta
was significantly reduced).</p>
<p>While I don't speak for the entire Server team, I'm not sure the
Server Team as a whole would want to commit to supporting
modsecurity in nginx on top of the other third party modules we
already have to look after in the packaging. You may want to
check with Debian first, and ask if Debian wants to include
modsecurity in NGINX. If they wish to, they can import it into
their packaging, and for us we'll pick it up in the next Ubuntu
cycle (21.04 most likely), and then it'll be available in Ubuntu.Â
But we usually are wanting to check if Debian wants to support it
heavily as well. My historical insights into this is that's been
discussed and rejected in Debian but you're free to ask the nginx
maintainers in Debian that question as well with a Debian bug.</p>
<p><br>
</p>
<p>My two cents for right now, but maintaining modsecurity in nginx
could introduce more headaches for maintaining things in the
future for the Server Team and myself, because any bugs filed
against it are likely not going to get nitpicked and included as
fixes because there's no mechanism to really separately maintain
modsecurity outside of the nginx source package.</p>
<p><br>
------<br>
</p>
<p>Thomas<br>
Ubuntu Server Team Member<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 8/16/20 6:55 AM, Niels Kristensen
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALbB6a-BBxEA5Fj9c+7wg+9hvKJ=yRggA4g9Hp63jB8XCi-quQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi!
<div><br>
</div>
<div>I've been looking for the best way to maintain a deb
package for the ModSecurity dynamic Nginx module: <a
href="https://github.com/SpiderLabs/ModSecurity-nginx"
moz-do-not-send="true">https://github.com/SpiderLabs/ModSecurity-nginx</a></div>
<div><br>
</div>
<div>I'm not experienced with packaging for Ubuntu, so I'm not
sure if the Universe repository is the best place, or if it's
a PPA.</div>
<div><br>
</div>
<div>I've looked at the other packages for dynamic Nginx modules
in Universe (libnginx-mod-*), and it seems like they are
compiled using the same deb source package, so I thought that
it might be a good place to add the ModSecurity module as
well. What do you think?</div>
<div><br>
</div>
<div>There is already something out there for building a deb
package of the module for 18.04 <a
href="https://github.com/phusion/nginx-modsecurity-ubuntu"
moz-do-not-send="true">https://github.com/phusion/nginx-modsecurity-ubuntu</a>
but it is not maintained anymore.<br>
</div>
<div><br>
</div>
<div>Br Niels</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
</body>
</html>