[Bug 1867150] [NEW] FFe: nginx: demote bin:libnginx-mod-http-geoip
Andreas Hasenack
andreas at canonical.com
Thu Mar 12 13:39:23 UTC 2020
Public bug reported:
In MIR bug #1861101 we want to bring into main the geoip2 library
src:libmaxminedb. The MIR team agreed to that with some conditions, one
of which is to demote the geoip1 legacy version of the library
(src:geoip) in order to not have both in main. bin:libnginx-mod-http-
geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no
longer uses the legacy geoip1 library, and has switched to the supported
geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the
geoip features in focal. But it's also an opportunity to switch away
from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin
:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full
which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-
http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that
can't happen immediately because the source code for libnginx-mod-http-
geoip2 does not come from nginx itself[1][2], and thus is not subject to
the MIR that brought nginx into main a while ago. We can't pull bin
:libnginx-mod-http-geoip2 into main without another MIR for just that
module, which will require a security review. I will file an MIR for
that anyway, but we expect the security review to not get done in time
for focal.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to
universe. This will allow src:geoip (the geoip1 legacy library) to be
demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any
nginx geoip modules, legacy or otherwise, and thus represents a feature
change.
I added a release notes task to the MIR bug #1861101 and the following
scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-
geoip, if someone got it by installing bin:nginx-core, an "apt
autoremove" might suggest that bin:libnginx-mod-http-geoip can be
removed. If this happens, and there are still geoip configuration
directives somewhere in /etc/nginx/**, nginx will fail to restart. Note
that this would also happen had we replaced bin:libnginx-mod-http-geoip
with bin:libnginx-mod-http-geoip2, as the configuration directives are
different
b) If someone has just main enabled in < focal, with bin:nginx-core and
bin:libnginx-mod-http-geoip installed, and release upgrades to focal,
libnginx-mod-http-geoip won't be upgraded because it's in
focal/universe.
Attached is the proposed change to nginx, from
https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
PPA with a test build, together with bind9 already linking with
libmaxminddb:
https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-geoip
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18
** Affects: nginx (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
In MIR bug #1861101 we want to bring into main the geoip2 library
src:libmaxminedb. The MIR team agreed to that with some conditions, one
of which is to demote the geoip1 legacy version of the library
(src:geoip) in order to not have both in main. bin:libnginx-mod-http-
geoip is one of the reverse-dependencies of bin:libgeoip1.
The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no
longer uses the legacy geoip1 library, and has switched to the supported
geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the
geoip features in focal. But it's also an opportunity to switch away
from the legacy geoip1 library.
For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin
:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full
which are in universe already.
The original plan was to just replace the dependency on libnginx-mod-
http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that
can't happen immediately because the source code for libnginx-mod-http-
geoip2 does not come from nginx itself[1][2], and thus is not subject to
the MIR that brought nginx into main a while ago. We can't pull bin
:libnginx-mod-http-geoip2 into main without another MIR for just that
module, which will require a security review. I will file an MIR for
that anyway, but we expect the security review to not get done in time
for focal.
We then changed the plan to just demote bin:libnginx-mod-http-geoip to
universe. This will allow src:geoip (the geoip1 legacy library) to be
demoted, and the MIR team has agreed to that plan[3].
This means that bin:nginx-core will no longer have a dependency on any
nginx geoip modules, legacy or otherwise, and thus represents a feature
change.
I added a release notes task to the MIR bug #1861101 and the following
scenarios about this change come to mind:
a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-
geoip, if someone got it by installing bin:nginx-core, an "apt
autoremove" might suggest that bin:libnginx-mod-http-geoip can be
removed. If this happens, and there are still geoip configuration
directives somewhere in /etc/nginx/**, nginx will fail to restart. Note
that this would also happen had we replaced bin:libnginx-mod-http-geoip
with bin:libnginx-mod-http-geoip2, as the configuration directives are
different
b) If someone has just main enabled in < focal, with bin:nginx-core and
bin:libnginx-mod-http-geoip installed, and release upgrades to focal,
libnginx-mod-http-geoip won't be upgraded because it's in
focal/universe.
+ Attached is the proposed change to nginx, from https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
+
+
1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1867150
Title:
FFe: nginx: demote bin:libnginx-mod-http-geoip
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1867150/+subscriptions
More information about the Ubuntu-server-bugs
mailing list