I've asked teward to keep HTTP/2 disabled in nginx for a little while. We certainly want HTTP/2 support in 16.04 LTS but (a) http/2 is very new (b) http/2 is based on design patterns that have proved to be very difficult to implement without security issues. So I hope to offer http/2 support in nginx via an SRU shortly after 16.04 LTS is released.
Security issues in complex software is a given; part of my role on the security team is balancing new features against security risks. I'd feel immensely better about offering http/2 to our users after the wider security community has had some time to find 'easy' issues. (I say this with full respect for what the nginx team have built; I suspect they feel similarly otherwise they would have already released 1.10 with http/2 a first-class citizen.) I wish the timing were a little different: however, both nginx and 16.04 LTS are aiming for roughly the same date, so there's no easy way to get the wider coverage I'd like http/2 to get before we ship our next LTS release. If you'd like to contribute, please consider running e.g. https://github.com/c0nrad/http2fuzz against nginx mainline releases or nginx hg tip builds. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1552949 Title: the "http2" parameter requires ngx_http_v2_module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1552949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
