Ubuntu
nginx package

Bug #1867198
Comment #1

Comment 1 for bug 1867198

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-03-13:

This is a bit of a special review,
the few packaging bits "on top of normal nginx" are just:
- ./debian/libnginx-mod-http-geoip2.nginx
- ./debian/libnginx-mod.conf/mod-http-geoip2.conf
and a few entries in d/rules
- debian/rules:16: http-geoip2 \
- debian/rules:122: --add-dynamic-module=$(MODULESDIR)/http-geoip2
- debian/rules:156: --add-dynamic-module=$(MODULESDIR)/http-geoip2

They all LGTM and don't need a full MIR review "again" for those few lines.
They are a bit complex but that just reflects how things are in nginx until modules can be proper external sources.

The actual source of it is in:
- debian/modules/http-geoip2/*

And that is the new bit as it is an external source and was not security reviewed when nginx was handled.
The source is from:
=> https://github.com/leev/ngx_http_geoip2_module

Problems:
- some others have ./debian/modules/watch entries but this one is missing
add this to reduce the chance to miss updates
- the current release is not packaged (but not too far behind)
- one crasher bug open upstream, but resolved in 3.3

TODOs:
- @Andreas / Teward - would you mind bumping the embedded version to 3.3?
- that is just a crash fix on DB reload
- @Andreas / Teward - would you mind adding geoip2 to ./debian/modules/watch?
- @Security - Since this is sort of the entry point where things might have more external control to be craftable a security review of just debian/modules/http-geoip2/* is recommended.
- @Security this raises an extra question if we need to set something up that this will be properly CVE tracked - could you outline if that will work well?

Assigning security for now.
Once reviewed the MIR Team can re-check if the other todo's were resolved in the meantime and then I think promotion can happen.

This is a bit of a special review,
the few packaging bits "on top of normal nginx" are just:
- ./debian/libnginx-mod-http-geoip2.nginx
- ./debian/libnginx-mod.conf/mod-http-geoip2.conf
and a few entries in d/rules
- debian/rules:16:        http-geoip2 \
- debian/rules:122:                       --add-dynamic-module=$(MODULESDIR)/http-geoip2
- debian/rules:156:                       --add-dynamic-module=$(MODULESDIR)/http-geoip2

They all LGTM and don't need a full MIR review "again" for those few lines.
They are a bit complex but that just reflects how things are in nginx until modules can be proper external sources.

The actual source of it is in:
- debian/modules/http-geoip2/*

And that is the new bit as it is an external source and was not security reviewed when nginx was handled.
The source is from:
=> https://github.com/leev/ngx_http_geoip2_module

I re-did the sections that would apply for this code:
- does not FTBFS currently                                                 
- does not have a test suite that runs at build time                           
- no translation present, but none needed for this case (not user visible)?    
- not a python package, no extra constraints to consider int hat regard    
- symbols tracking not applicable for this kind of code.                   
- Upstream update history is ok
- promoting this does not seem to cause issues for MOTUs that so far       
  maintained the package                                                   
- no massive Lintian warnings                                              
- no geoip2 related issues int the build log
- no incautious use of malloc/sprintf (as far as I can check it)           
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH                         
- no use of user nobody                                                    
- no use of setuid                                                         
- no dependency on webkit, qtwebkit, seed or libgoa-*                      
- no embedded source copies (well this IS the embedded source, but no further ones)

Problems:
- some others have ./debian/modules/watch entries but this one is missing
  add this to reduce the chance to miss updates
- the current release is not packaged (but not too far behind)
- one crasher bug open upstream, but resolved in 3.3

TODOs:
- @Andreas / Teward - would you mind bumping the embedded version to 3.3?
  - that is just a crash fix on DB reload
- @Andreas / Teward - would you mind adding geoip2 to ./debian/modules/watch?
- @Security - Since this is sort of the entry point where things might have more external control to be craftable a security review of just debian/modules/http-geoip2/* is recommended.
- @Security this raises an extra question if we need to set something up that this will be properly CVE tracked - could you outline if that will work well?

Assigning security for now.
Once reviewed the MIR Team can re-check if the other todo's were resolved in the meantime and then I think promotion can happen.

Ubuntunginx package

Comment 1 for bug 1867198

Ubuntu
nginx package