[Bug 1867150] [NEW] FFe: nginx: demote bin:libnginx-mod-http-geoip

Andreas Hasenack andreas at canonical.com
Thu Mar 12 13:39:23 UTC 2020


Public bug reported:

In MIR bug #1861101 we want to bring into main the geoip2 library
src:libmaxminedb. The MIR team agreed to that with some conditions, one
of which is to demote the geoip1 legacy version of the library
(src:geoip) in order to not have both in main. bin:libnginx-mod-http-
geoip is one of the reverse-dependencies of bin:libgeoip1.

The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no
longer uses the legacy geoip1 library, and has switched to the supported
geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the
geoip features in focal. But it's also an opportunity to switch away
from the legacy geoip1 library.

For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin
:nginx-core which is in main, and bin:nginx-extras and bin:nginx-full
which are in universe already.

The original plan was to just replace the dependency on libnginx-mod-
http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that
can't happen immediately because the source code for libnginx-mod-http-
geoip2 does not come from nginx itself[1][2], and thus is not subject to
the MIR that brought nginx into main a while ago. We can't pull bin
:libnginx-mod-http-geoip2 into main without another MIR for just that
module, which will require a security review. I will file an MIR for
that anyway, but we expect the security review to not get done in time
for focal.

We then changed the plan to just demote bin:libnginx-mod-http-geoip to
universe. This will allow src:geoip (the geoip1 legacy library) to be
demoted, and the MIR team has agreed to that plan[3].

This means that bin:nginx-core will no longer have a dependency on any
nginx geoip modules, legacy or otherwise, and thus represents a feature
change.

I added a release notes task to the MIR bug #1861101 and the following
scenarios about this change come to mind:

a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-
geoip, if someone got it by installing bin:nginx-core, an "apt
autoremove" might suggest that bin:libnginx-mod-http-geoip can be
removed. If this happens, and there are still geoip configuration
directives somewhere in /etc/nginx/**, nginx will fail to restart. Note
that this would also happen had we replaced bin:libnginx-mod-http-geoip
with bin:libnginx-mod-http-geoip2, as the configuration directives are
different

b) If someone has just main enabled in < focal, with bin:nginx-core and
bin:libnginx-mod-http-geoip installed, and release upgrades to focal,
libnginx-mod-http-geoip won't be upgraded because it's in
focal/universe.

Attached is the proposed change to nginx, from
https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14

PPA with a test build, together with bind9 already linking with
libmaxminddb:

https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-geoip


1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18

** Affects: nginx (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  In MIR bug #1861101 we want to bring into main the geoip2 library
  src:libmaxminedb. The MIR team agreed to that with some conditions, one
  of which is to demote the geoip1 legacy version of the library
  (src:geoip) in order to not have both in main. bin:libnginx-mod-http-
  geoip is one of the reverse-dependencies of bin:libgeoip1.
  
  The main reason behind the src:libmaxminddb MIR is that bind9 9.16.x no
  longer uses the legacy geoip1 library, and has switched to the supported
  geoip2 one (src:libmaxminddb). Without this change, bind9 will lose the
  geoip features in focal. But it's also an opportunity to switch away
  from the legacy geoip1 library.
  
  For the nginx case, bin:libnginx-mod-http-geoip is pulled in via bin
  :nginx-core which is in main, and bin:nginx-extras and bin:nginx-full
  which are in universe already.
  
  The original plan was to just replace the dependency on libnginx-mod-
  http-geoip in bin:nginx-core with libnginx-mod-http-geoip2, but that
  can't happen immediately because the source code for libnginx-mod-http-
  geoip2 does not come from nginx itself[1][2], and thus is not subject to
  the MIR that brought nginx into main a while ago. We can't pull bin
  :libnginx-mod-http-geoip2 into main without another MIR for just that
  module, which will require a security review. I will file an MIR for
  that anyway, but we expect the security review to not get done in time
  for focal.
  
  We then changed the plan to just demote bin:libnginx-mod-http-geoip to
  universe. This will allow src:geoip (the geoip1 legacy library) to be
  demoted, and the MIR team has agreed to that plan[3].
  
  This means that bin:nginx-core will no longer have a dependency on any
  nginx geoip modules, legacy or otherwise, and thus represents a feature
  change.
  
  I added a release notes task to the MIR bug #1861101 and the following
  scenarios about this change come to mind:
  
  a) Since bin:nginx-core dropped the dependency on bin:libnginx-mod-http-
  geoip, if someone got it by installing bin:nginx-core, an "apt
  autoremove" might suggest that bin:libnginx-mod-http-geoip can be
  removed. If this happens, and there are still geoip configuration
  directives somewhere in /etc/nginx/**, nginx will fail to restart. Note
  that this would also happen had we replaced bin:libnginx-mod-http-geoip
  with bin:libnginx-mod-http-geoip2, as the configuration directives are
  different
  
  b) If someone has just main enabled in < focal, with bin:nginx-core and
  bin:libnginx-mod-http-geoip installed, and release upgrades to focal,
  libnginx-mod-http-geoip won't be upgraded because it's in
  focal/universe.
  
  
+ Attached is the proposed change to nginx, from https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/14
+ 
+ 
  1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/10
  2. https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1825895
  3. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/18

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1867150

Title:
  FFe: nginx: demote bin:libnginx-mod-http-geoip

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1867150/+subscriptions



More information about the Ubuntu-server-bugs mailing list