Re: An initial attempt to help with SSL-related bugs
After spending a scary amount of time trying different things I've thus far been unable to build Apache from the SVN repository. I've tried checking out trunk/debian into a subdir of the unpacked source. I've tried checking out the whole SVN repository and using a symlink for debian, but everything has failed. If somebody wouldn't mind explaining how it is supposed to be done it would be greatly appreciated. (I'm reasonably familiar with SVN; but when I've used it for packaging in the past the *whole* source was there upstream and all, so building was trivial..) Steve -- [feeling a little stupid] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An initial attempt to help with SSL-related bugs
On Tuesday 29 April 2008, Steve Kemp wrote: I've tried checking out trunk/debian into a subdir of the unpacked source. I've tried checking out the whole SVN repository and using a symlink for debian, but everything has failed. Why do I have the suspicion that you looked at the apache 1.3 packaging? Don't follow that path, it will lead to insanity... The svn directory structure is a bit weird. Usually its package_name/{trunk,tags,branches} but we have {trunk,tags,branches}/package_name for some (historical?) reason. This works for me: tar -xvzf apache2_2.2.8.orig.tar.gz cd httpd-2.2.8/ svn co svn://svn.debian.org/pkg-apache/trunk/apache2 debian dpkg-buildpackage -rfakeroot -us -uc (plus -i or -I to omit the .svn dirs, I can't remember which) Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An initial attempt to help with SSL-related bugs
On Tue Apr 29, 2008 at 21:58:22 +0200, Stefan Fritsch wrote: This works for me: tar -xvzf apache2_2.2.8.orig.tar.gz cd httpd-2.2.8/ svn co svn://svn.debian.org/pkg-apache/trunk/apache2 debian dpkg-buildpackage -rfakeroot -us -uc Thank you, that was very similar to something somebody told me on IRC, which got me all confused and wrong. I've got it building now with only warnings about permission changes, which I guess are ignorable. I'll start being able to submit patches shortly. Steve -- # Kink-Friendly Dating http://ctrl-alt-date.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
An initial attempt to help with SSL-related bugs
As promised on IRC earlier today I'm interested in tidying up some of the SSL-related bugs currently reported against the Apache2 package(s) in Debian. Here's a brief list of bugs, and my suggestion for handling each. #267477 ssl: some easy way to set up an ssl server (as apache-ssl package in apache 1) - Suggestion: 1. Update the sites-available/default to include SSL options. 2. Update a2enmod so that if a2enmod ssl is executed then a new certificate is generated via openssl | ssl-cert if the referenced one isn't already present. #290458 mod_ssl preventing apache2 from starting (segfault) - Suggestion: Close. Very old. Not confirmed. #350733 apache2: SSI generate seg fault on apache 2.0.55-4 - Suggestion: Close. Very old. Not confirmed. #301155 ssl.conf won't run - [Refers to an example file we no longer ship. Close bug if we can handle #267477] #395936: Apache2 SSL service stopped working since upgrade to 2.2.3-2 - Close. Warning was added per bug log. #398520 missing /usr/sbin/apache2-ssl-certificate - Reinstate script, as a wrapper around openssl, or the new ssl-cert package. Question: Why was this removed? Can we not re-add it? #421802 apache2: ssl.conf dropped IE workarounds - Reinstate options in the default file we ship as per #2567477 - then close this bug. #260063 apache2: suggestion to add new file - conf.d/security.conf - I would add this file with the suggested comments. I'd also suggest adding comments here about things such as: 1. ServerTokens Minimal 2. ServerSignature Off (If this were done #341022 could be closed.) I think those are the ones that jumped out at me on an initial pass over the bugs of package 'apache2', I'm sure there are probably more relevant ones in the other Apache packages; so I'll look at those shortly, if this mail results in a positive response. I guess my questions now are: 1. Are these suggested solutions reasonable? 2. If so should I submit patches to the list / the relevant bugs / do something else? Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An initial attempt to help with SSL-related bugs
Hi Steve, On Tuesday 15 April 2008, Steve Kemp wrote: #267477 ssl: some easy way to set up an ssl server (as apache-ssl package in apache 1) - Suggestion: 1. Update the sites-available/default to include SSL options. Yes, but how? Put all common options into an include file and include it in each of the two virtual hosts (like Message #132 in the bug)? Maybe using two files sites-available/default and sites-available/default-ssl would be better even. And what virtualhost setup to use? The most correct one would be NameVirtualHost *:80 VirtualHost *:80 ... VirtualHost _default_:443 ... because the ssl virtual host is IP/port based, not name based. OTOH this could create headaches on upgrade. BTW, the NameVirtualHost statement should go into ports.conf (there is another bug about this, too). 2. Update a2enmod so that if a2enmod ssl is executed then a new certificate is generated via openssl | ssl-cert if the referenced one isn't already present. I would prefer a separate script. But a2enmod ssl could print a pointer to that script. #290458 mod_ssl preventing apache2 from starting (segfault) - Suggestion: Close. Very old. Not confirmed. agreed #350733 apache2: SSI generate seg fault on apache 2.0.55-4 - Suggestion: Close. Very old. Not confirmed. agreed #301155 ssl.conf won't run - [Refers to an example file we no longer ship. Close bug if we can handle #267477] #395936: Apache2 SSL service stopped working since upgrade to 2.2.3-2 - Close. Warning was added per bug log. these two are the same and are an issue only when upgrading from 2.0. Can be closed for sid/lenny. #398520 missing /usr/sbin/apache2-ssl-certificate - Reinstate script, as a wrapper around openssl, or the new ssl-cert package. Question: Why was this removed? Can we not re-add it? Don't know, I wasn't around then. One should look at it if it does something differently than ssl-cert. #421802 apache2: ssl.conf dropped IE workarounds - Reinstate options in the default file we ship as per #2567477 - then close this bug. right #260063 apache2: suggestion to add new file - conf.d/security.conf - I would add this file with the suggested comments. I'd also suggest adding comments here about things such as: 1. ServerTokens Minimal 2. ServerSignature Off I am undecided about this. If yes, traceenable would be another candidate. (If this were done #341022 could be closed.) Denying / by default would definitely need a NEWS entry, because it would break quite a few setups. I think those are the ones that jumped out at me on an initial pass over the bugs of package 'apache2', I'm sure there are probably more relevant ones in the other Apache packages; so I'll look at those shortly, if this mail results in a positive response. I guess my questions now are: 1. Are these suggested solutions reasonable? Sure. 2. If so should I submit patches to the list / the relevant bugs / do something else? I think mailing patches to the bugs would be best for a start. Thanks for your help. Cheers, Stefan signature.asc Description: This is a digitally signed message part.
Re: An initial attempt to help with SSL-related bugs
On Tue Apr 15, 2008 at 22:37:30 +0200, Stefan Fritsch wrote: If you think it inadequate, you can just mail the whole thing to the list, too. I guess we will give you svn access soon, anyway. The whole series of changes against SVN? That to me would seem like a good way forward. But I'd be happy with the bug report - I guess I just have to file the responses in the correct order and reference other bugs appropriately. Note that a2enmod is completely rewritten in svn trunk. So please use that as base. OK. I guess using SVN trunk is going to be the best way forward altogether really. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]