NGINX in Ubuntu: Course of Action - Opinions Please

[Thomas Ward]

All:

So, we're in the Wily development schedule. Now would be a perfect time
to be merging in NGINX from Debian since they released an update.
However, due to what they've actually uploaded, I want additional opinions.

As most are aware, NGINX in Ubuntu has a binary package now included in
main, nginx-core, which has been in Main since 14.04. As such, it gets
security updates, and could be included in the images if we so chose. We
also have me providing bugfixes as I can, with my having upload
privileges to upload direct and then loop in the SRU/Release team. The
version of NGINX in Vivid (and Wily) is the NGINX stable 1.6.x branch of
releases.

What many may not be aware of, however, is that on April 21, 2015, the
1.6.x branch was deprecated, and is no longer supported by upstream. It
was replaced by the NGINX 1.8.x stable branch, which is based off of the
previous 1.7.x mainline branch, but is now stable. The mainline version
was replaced with 1.9.x (currently 1.9.1). As Debian does, sometimes to
my chagrin, they have 'switched' briefly to the Mainline branch and
packaged 1.9.1 for Debian Unstable, which I'm told is something they do
between releases of Debian.  Unfortunately, that puts me in a very
difficult position of having to decide the course of action for the
future of the NGINX package in Ubuntu, specifically whether we continue
to use Debian's packaging or use a separate Stable packaging from me,
and I don't feel immediately qualified to make that decision on my own.

>From understanding of how Ubuntu handles releases, it's preferred to
stay on 'stable' branches of software rather than rely on an
in-development, new-features-available-each-update like branch for the
software. Debian packages NGINX 1.9.x, which adds some complexity to my
decision. While NGINX 1.8.x has all the features from NGINX 1.7.x (which
has many new features not present in the 1.6.x branch), 1.9.x has many
more features but is more 'actively developed', which leads to
additional bugs.  The following is the response I was able to get from
the NGINX Product Manager on this, where I asked specifically about the
release handling process of nginx, as well as a general description of
projected next-major-version releases, as well as current development
plans for 1.9.x and such:

---

"The mainline release is our new-feature development stream, carrying an
odd-numbered minor version.

In parallel, we maintain a ’stable’ release with a lower even-numbered
minor version. For example, the current mainline release is 1.9.x, and
the stable release (1.8.x) was forked from this in April
(http://nginx.com/blog/nginx-1-8-and-1-9-released/). Stable will be
supported for one year, and will receive critical bug and security
updates only.

Every year, typically in April, we do the following:
* End support for the current stable release
* Branch the current mainline release to create the next annual stable
release
* Update the version number in the current mainline release to create
the next annual mainline release

There’s a description of the process here:
http://nginx.com/blog/nginx-1-6-1-7-released/

In April 2016, we are likely then to release 1.10.x (stable) and 1.11.x
(mainline) (or possibly 2.0.x and 2.1.x - we have not decided)

New features planned for the mainline release in 2015/16 include support
for HTTP/2 and a new dynamic modules architecture."

---

Currently, I maintain the NGINX PPAs (see https://launchpad.net/~nginx),
with both 1.8.x and 1.9.x branches in separate PPAs (1.9.x is pending a
third party module actually providing an update to the module as a point
release so we don't pull git head from them), and am comfortable enough
with the system there to provide support for either and to package them,
even if we package 1.8.x by hand and directly upload to the repositories
and ignore merges in the interim, and just import changes from Debian
case by case until they go back to the Stable branch of NGINX. However,
as I said above, I need more discussion points on this, and more advice
and input.

The consideration point for this is a huge one, as it likely impacts
both Wily now, and likely the next LTS (16.04).

If we go NGINX Mainline, we must support 1.9.x and many new additionally
developed features for both Wily, and likely the next LTS (16.04). We
must also handle bugs that come from those additional features, some of
which we won't easily be able to resolve.  And as we know, an
actively-developed branch is not necessarily the most stable.

If we go NGINX Stable, we must manually build the package of 1.8.x, and
nitpick Debian's changes on a case by case basis, and upstream fixes for
security bugs and such.  (I am comfortable enough building the package
and updating the third party modules in the Universe-pocket binaries for
code differences to build packages and manually upload them, as I have a
1.8.x code base in the PPA already that mirrors Debian's packaging, with
some minor changes, and introducing the Ubuntu delta back in will not be
exceedingly difficult.)


So, that's the issue at hand.  Note that I have put this item onto the
Server Team's agenda, as I would like the server team's input on this
with regards to making the long term decision, and I will not be
choosing any hard option until the Ubuntu Server Team meeting on Tuesday.

Please discuss, and let's see if we can come up with a decision that we
can all live with.


Thomas