[Bug 1861101] Re: [MIR]: dependency of bind9
Also updated the release notes regarding the nginx changes: https://wiki.ubuntu.com/FocalFossa/ReleaseNotes#nginx -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
I updated the release notes: https://wiki.ubuntu.com/FocalFossa/ReleaseNotes#Bind_9.16 ** Changed in: ubuntu-release-notes Status: New => Fix Released ** Changed in: ubuntu-release-notes Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
python-maxminddb was promoted, so python-geoip2 can also be promoted now. See comment #19 for the MIR approval. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
>> - For 20.04 we really should consider going ahead to the much newer 1.5.2 >> => https://github.com/maxmind/MaxMind-DB-Reader-python/releases >> @andreas will you take a look at this, just as you did with the other >> related package that was slightly outdated? > FFe bug for the update: https://bugs.launchpad.net/ubuntu/+source /python-maxminddb/+bug/1867919 FFe approved, MP for the update to 1.5.2 at https://code.launchpad.net/~ahasenack/ubuntu/+source/python- maxminddb/+git/python-maxminddb/+merge/380854 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
> - For 20.04 we really should consider going ahead to the much newer 1.5.2 > => https://github.com/maxmind/MaxMind-DB-Reader-python/releases > @andreas will you take a look at this, just as you did with the other > related package that was slightly outdated? FFe bug for the update: https://bugs.launchpad.net/ubuntu/+source /python-maxminddb/+bug/1867919 > - I'd wonder if we can get a security review (on all of these) in the long > run but not gating the MIR for now - details below? Carded https://trello.com/c/uUivNu65 > - Debian updates a bit slowly, we might need to do the monitoring and > updating on this one - @Andreas is that ok for you to do that > along e.g. bind9 merges? I subscribed to the debian package tracker for these packages: python- maxminddb, libmaxminddb0, python-geoip2 I subscribed to upstream announce mailing lists or equivalent for these projects: python-maxminddb (via github releases), libmaxminddb (via github releases), python-geoip2 (via github releases). -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
python-maxminddb MIR request Availability: The package must already be in the Ubuntu universe, and must build for the architectures it is designed to work on. - package is in universe: https://launchpad.net/ubuntu/+source/python-maxminddb - package builds for amd64, arm64, armhf, ppc64el, s390x (i386 was dropped in the last upload, unknown at the moment if it has to be re-enabled for i386) Rationale: The package is a dependency of python-geoip2 which is to be promoted to main via MIR bug #1861101. See https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/17 for the application, and https://bugs.launchpad.net/ubuntu/+source/python-geoip2/+bug/1861101/comments/19 for the ACK In general, we are demoting python-geoip (the legacy GeoIP1 support) and want to replace it with geoip2. The unseeding of python-geoip already happened in https://code.launchpad.net/~ahasenack/ubuntu- seeds/+git/ubuntu/+merge/380547/ Security - zero advisories at https://github.com/maxmind/MaxMind-DB-Reader-python/security/advisories * http://cve.mitre.org/cve/search_cve_list.html - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=maxmind returned a hit for a javascript implementation - geoip2, maxminddb, python-maxminddb, MaxMind-DB-Reader-python (the upstream name): no hits * check OSS security mailing list (feed 'site:www.openwall.com/lists/oss-security ' into search engine) - "site:www.openwall.com/lists/oss-security maxminddb": no results - "site:www.openwall.com/lists/oss-security maxmind": one hit: - https://www.openwall.com/lists/oss-security/2011/05/20/4 - related to CVE-2007-0159 which was about the geoip1 C API - "site:www.openwall.com/lists/oss-security python-maxminddb": no results - "site:www.openwall.com/lists/oss-security python-maxmind": just ads as results - "site:www.openwall.com/lists/oss-security MaxMind-DB-Reader-python": no results - "site:www.openwall.com/lists/oss-security geoip2": no results * Ubuntu CVE Tracker * http://people.ubuntu.com/~ubuntu-security/cve/main.html - no hits for maxminddb, geoip2, geoip, maxmind * http://people.ubuntu.com/~ubuntu-security/cve/universe.html - no hits for maxminddb, maxmind, geoip, geoip2 * http://people.ubuntu.com/~ubuntu-security/cve/partner.html - has no packages or CVEs at all * Check for security relevant binaries. If any are present, this requires a more in-depth security review. - the source package builds two binary packages: python3-maxminddb and python-maxminddb-doc The following is about these two binary packages. * Executables which have the suid or sgid bit set. - none * Executables in /sbin, /usr/sbin. - none (since it's a python module and its documentation, there are no executables) * Packages which install services / daemons (/etc/init.d/*, /etc/init/*, /lib/systemd/system/*) - no services * Packages which open privileged ports (ports < 1024). - none * Add-ons and plugins to security-sensitive software (filters, scanners, UI skins, etc) - being a python module, it is meant to be used by other software. The current list of reverse-depends contains just one package and that is python3-geoip2 (src:python-geoip2). That package in turn is a dependency of "sopel", an IRC bot (according to its description). Quality assurance: * After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading. - python module is readily importable after installation * The package must not ask debconf questions higher than medium if it is going to be installed by default. The debconf questions must have reasonable defaults. - no debconf questions * There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package. - upstream bugs: 2 open, 17 closed: https://github.com/maxmind/MaxMind-DB-Reader-python/issues. Both open bugs are tagged with "enhancement" and are many years old - ubuntu bugs: none other than the MIR - debian bugs: none (https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=python-maxminddb) * The package is maintained well in Debian/Ubuntu (check out the Debian PTS) - https://tracker.debian.org/pkg/python-maxminddb - note about new upstream version available (1.5.2), released in December 2019 (we are in sync with debian at 1.4.1, which is currently the most recent 1.4.x release) - debian vcs has a few commits that weren't uploaded yet, not serious - the doc package, being arch all, could have a multiarch hint/fix - outdated standards version, but not by that much (4.4.0 vs 4.5.0) * The package should not deal with exotic hardware which we cannot support. - no exotic hardware involved * If the package ships a test suite, and there is no obvious reason why it cannot work during build (e. g. it needs root privileges or network access), it should be run during package build,
[Bug 1861101] Re: [MIR]: dependency of bind9
libmaxminddb was uploaded and migrated, setting task to "fix released". ** Changed in: libmaxminddb (Ubuntu) Status: New => Fix Released ** Changed in: libmaxminddb (Ubuntu) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
But it's still in universe, so setting back to fix committed until promotion happens. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
I made a mistake in the python-geoip2 MIR[1]. This second statement is incorrect: - dependencies are python3-maxminddb (>= 1.4.0), python3-requests, python3:any - python3-maxminddb is a subject of this same MIR LP: #1861101 <--- FALSE python3-maxminddb comes from src:python-maxminddb, not libmaxminddb. 1. https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/17 ** Also affects: python-maxminddb (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
- nginx was uploaded (https://launchpad.net/ubuntu/+source/nginx/1.17.9-0ubuntu2) - libmaxminddb uploaded (https://launchpad.net/ubuntu/+source/libmaxminddb/1.4.2-0ubuntu1) - seed change applied (https://code.launchpad.net/~ahasenack/ubuntu-seeds/+git/ubuntu/+merge/380547) -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
nginx FFe bug for the demotion of libnginx-mod-http-geoip: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1867150 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
== MIR for python-geoip2 bug task == Availability: The package must already be in the Ubuntu universe, and must build for the architectures it is designed to work on. - the package is in universe and is an arch all package. Rationale: There are two main reasons for this MIR: - python-geoip for the geoip1 format/code is deprecated upstream and considered legacy - python3-geoip is in the development seed, and we should replace it with the non-legacy python3-geoip2 package - "we have historically tended to seed python bindings for libraries we support as "development", on the grounds that python was a preferred language for developing on Ubuntu." (https://code.launchpad.net/~ahasenack/ubuntu-seeds/+git/ubuntu/+merge/380547/comments/998609) Security The security history and the current state of security issues in the package must allow us to support the package for at least 9 months (60 for LTS support) without exposing its users to an inappropriate level of security risks. This requires checking of several things that are explained in detail in the subsection Security checks. Check how many vulnerabilities the package had in the past and how they were handled by upstream and the Debian/Ubuntu package: https://cve.mitre.org/cve/search_cve_list.html: Search in the National Vulnerability Database using the package as a keyword - no hits for "maxmind", "maxminddb", "libmaxminddb" other than a javascript implementation of this api - no hits for "geoip2" - "geoip" (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=geoip) has several hits on other implementations or just users of the generic "geoip" feature, not tied to this library or python module, with one exception for the legacy version of the geoip library, not subject to this MIR, but from the same upstream publisher: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0159 check OSS security mailing list (feed 'site:www.openwall.com/lists/oss-security ' into search engine) - a search for "maxmind" returned https://www.openwall.com/lists/oss-security/2011/05/20/4 which is a CVE on the legacy version of the library, not on the python module. Other searches returned empty results. - a search for "geoip2" returns no results - a search for "geoip" returns 3 results (site:www.openwall.com/lists/oss-security geoip) all pointing to the same issue below: - https://www.openwall.com/lists/oss-security/2011/05/20/4 for CVE-2007-0159 and a follow-up CVE because of an incomplete fix in the legacy geoip library, not subject to this MIR, but from the same upstream source Ubuntu CVE Tracker http://people.ubuntu.com/~ubuntu-security/cve/main.html - python-geoip2, geoip2, geoip, python3-geoip, python3-geoip2: no results http://people.ubuntu.com/~ubuntu-security/cve/universe.html - python-geoip2, geoip2, geoip, python3-geoip, python3-geoip2: no results http://people.ubuntu.com/~ubuntu-security/cve/partner.html - python-geoip2, geoip2, geoip, python3-geoip, python3-geoip2: no results Check for security relevant binaries. If any are present, this requires a more in-depth security review. Executables which have the suid or sgid bit set. - there are no binaries at all, just python module code Executables in /sbin, /usr/sbin. - none Packages which install services / daemons (/etc/init.d/*, /etc/init/*, /lib/systemd/system/*) - none Packages which open privileged ports (ports < 1024). - none Add-ons and plugins to security-sensitive software (filters, scanners, UI skins, etc) - The only reverse-dependency of python3-geoip2 is an irc bot called "sopel" which is in universe Quality assurance: After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading. - it's a python module and it can be importer straight away The package must not ask debconf questions higher than medium if it is going to be installed by default. The debconf questions must have reasonable defaults. - no debconf questions There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package. The status of important bugs in Debian's, Ubuntu's, and upstream's bug tracking systems must be evaluated. Important bugs must be pointed out and discussed in the MIR report. - no bugs in ubuntu other than this MIR (https://bugs.launchpad.net/ubuntu/+source/python-geoip2) - no bugs in debian (https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=python-geoip2) The package is maintained well in Debian/Ubuntu (check out the Debian PTS) https://tracker.debian.org/pkg/python-geoip2 - new upstream version available (3.0.0). Release notes: https://github.com/maxmind/GeoIP2-python/releases/tag/v3.0.0), Dec 2019 (not that far ago) - unreleased vcs changes (just a standards-version bump:
[Bug 1861101] Re: [MIR]: dependency of bind9
Adding a task for release notes where we need to document the following upgrade scenario (and maybe others): a) Since nginx-core dropped the dependency on libnginx-mod-http-geoip, an "apt autoremove" might suggest that libnginx-mod-http-geoip can be removed. If this happens, and there are still geoip configuration directives, nginx will fail to restart. Note that this would also happen had we replaced libnginx-mod-http-geoip with libnginx-mod-http-geoip2, as the configuration directives are different b) If someone has just main enabled, with nginx-code and libnginx-mod- http-geoip installed, and release upgrades to focal, libnginx-mod-http- geoip won't be updated because it's in focal/universe. ** Also affects: ubuntu-release-notes Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
I have a debdiff[1] from Teward to drop libnginx-mod-http-geoip from nginx-core, which would allow us to demote libnginx-mod-http-geoip to universe, and thus demote libgeoip(1) too. @cpaelzer, would that satisfy the requirements? In the meantime I'll go ahead and prepare nginx packages with this diff and test them. 1. https://paste.ubuntu.com/p/4q3Bv9Sy53/ -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
How about we demote libnginx-mod-http-geoip to universe? Given: - nginx upstream isn't interested in switching to geoip2 (libbaxminddb). So much that ubuntu went to great lengths to add a module to support it. - nginx is relying on obsolete geoip1 library (maxmind, the upstream, calls it "legacy", but I have no idea for how long it will be supported) - bind9 was calling geoip1 deprecated already in the 9.11 releases, and finally removed support for it in the new stable 9.16 release Bind9 is the main reason for this change, but at the same time it feels like a good opportunity to move forward and demote legacy code. The only reverse-depends of libnginx-mod-http-geoip are nginx packages themselves. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
For nginx, I'm unable to push to a new repo in lp at the moment[1], but the diff is simple: commit 34f9c1428d2d4eeab01f04e92e54bf311fa859b8 (HEAD -> focal-nginx-geoip2-in-main) Author: Andreas Hasenack Date: Wed Mar 11 10:35:00 2020 -0300 * d/control: have nginx-core pull in the geoip2 package instead of geoip, which is legacy (LP: #1861101) diff --git a/debian/control b/debian/control index 4c107b0f..a125a245 100644 --- a/debian/control +++ b/debian/control @@ -68,7 +68,7 @@ Description: small, powerful, scalable web/proxy server - common files Package: nginx-core Architecture: any -Depends: libnginx-mod-http-geoip (= ${binary:Version}), +Depends: libnginx-mod-http-geoip2 (= ${binary:Version}), libnginx-mod-http-image-filter (= ${binary:Version}), libnginx-mod-http-xslt-filter (= ${binary:Version}), libnginx-mod-mail (= ${binary:Version}), nginx-core is in main, and it's the metapackage that needs changing. The other packages which pull in libnginx-mod-http-geoip are nginx-full and nginx-extras, and both: a) are in universe b) pull in both geoip modules already (-geoip and -geoip2). 1. https://answers.launchpad.net/launchpad/+question/689269 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1861101] Re: [MIR]: dependency of bind9
Added an nginx task to this bug for the work needed on that package. This is not about MIR nginx. ** Also affects: nginx (Ubuntu) Importance: Undecided Status: New ** Changed in: nginx (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: nginx (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1861101 Title: [MIR]: dependency of bind9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs