| Summary: | www-servers/lighttpd-1.4.22 version bump | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Markus Hauschild <hauschild.markus> |
| Component: | New packages | Assignee: | Christian Hoffmann (RETIRED) <hoffie> |
| Status: | RESOLVED FIXED | ||
| Severity: | enhancement | CC: | babykart, bertrand, dimanish, dschridde+gentoobugs, genzilla, spatz, toto, www-servers+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.lighttpd.net/2009/3/7/1-4-22-echoes | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 259007, 264840 | ||
| Bug Blocks: | 264488 | ||
| Attachments: |
lighttpd-1.4.20-vs.-1.4.22-ebuild.diff
lighttpd-1.4.20-vs.-1.4.22-v2.diff lighttpd-1.4.22.ebuild lighttpd-1.4.22-r1.ebuild |
||
|
Description
Markus Hauschild
2009-02-24 20:41:37 UTC
Please consider this bump since it has some security fixes (CVE-2008-4359). I can't see any patches against 1.4.20 to fix these, so a version bump needs to (at least) be available in testing. No, CVE-2008-4359 has been disputed. There was a fix in 1.4.20 which caused regressions and 1.4.21 has this "fix" reverted again (solution: do not use url.re{direct,write} to implement access restrictions in the config).
Therefore, this bump is not urgent and I'll wait for 1.4.22 final (rc2 is already there) because 1.4.21 has a mod_simple_vhost regression.
Update: 1.4.22 released 1.4.22 final has been out for two weeks now - what keeps it from being bumped ? Created attachment 187013 [details, diff]
lighttpd-1.4.20-vs.-1.4.22-ebuild.diff
this is a preliminary proposal as to what a 1.4.22 ebuild may look like. i would love some feedback.
i havent checked if the use-dep on the virtual/httpd-php actually works, which is why the separate check is still in.
before this can go in - we need to ask for more complete keywording on the new www-servers/spawn-fcgi. will do so in a day or two (unless somebody finds bugs in it - please test)
this is work-in-progress. handle with care.
thanks
kind regards
Thilo
Created attachment 187245 [details, diff] lighttpd-1.4.20-vs.-1.4.22-v2.diff a new and improved version of the bump-patch. changes relative to 1.4.20: - convert to EAPI=2 - dump our last patch as it wont be included upstream (see http://redmine.lighttpd.net/issues/296) - call eautoreconf after Makefile.in has been changed - drop depend.php eclass - use USE-deps instead - drop warning about fam, since we dont warn in a million other places - integrate www-servers/spawn-fcgi - remove resolved block with cherokee - remove WANT_AUTOCONF=latest and WANT_AUTOMAKE=latest - install versionless init script and versionless fastcgi.conf - this requires the content from the versioned files to be copied to the versionless version... - warn about config change regarding spawn-fcgi - warn about dropped pipe-logging patch comments, critics, objections? hoffie: whats your take? thanks Created attachment 187247 [details]
lighttpd-1.4.22.ebuild
in order to allow for easier testing here a full copy of the proposed ebuild.
I have also committed the new init script and fastcgi.conf files - so no other files beside this ebuild are needed for testing.
I have tested your ebuild for .22 on a dev-server (only running trac via fastcgi atm) and I wonder why lighttpd depends on spawn-fgci if you enable the fastcgi useflag. I removed the dep from the ebuild, emerged it and its all running fine. So I would encourage you to _not_ depend on spawn-fcgi (I don't see why I should install it and mod_fastcgi obviously also works without it.). markus: thanks for testing. the fastcgi issue you bring up, is a valid objection. the only reason i left it in was as to not break exsisting setups. however, we are doing quite a number of backwards incompatible changes already, so it may be a good time to also change this. i'll think about it. I currently just have time to read through the comments. Everything of it looks great, except for the dropping of the errorpipe logging patch. Some weeks ago I discussed it with upstream and the outcome was that the patch has not been accepted because it adds redundant code -- if the patch had unified the logging process for both accesslog and errorlog, it would have been accepted... So I'm not quite sure on this one. I'll be asking back, but in general introducing this regression for our users does not sound like a that great idea, especially considering that the patch has never caused any problems and upstream had no direct objections to it either, besides adding redundant code. I'll let you know once I've got something new. Regarding spawn-fcgi, I'd be in making it a dependency of lighttpd, simply because it used to be included (so same reasoning -- avoiding breakage of backward compatbility). So.. thanks for all the work and sorry for my current unavailability... now I'm focusing mainly on PHP, as noone else will touch this currently. :) -- OT -- Ah, and before I forget: 18:06:09 <@jokey> but send some love (if you mail him) from me and Dennis Duggen ;) ;) Hi, regarding the pipe-logging patch: I wouldn't mind it still being included, since it obviously doesn't break anything. Regarding spawn-fcgi: Users already have to manually check/rewrite their config, so I don't see why the fastcgi useflag should pull in spawn-fcgi since its not technically required for fastcgi. (In reply to comment #10) > I currently just have time to read through the comments. Everything of it looks > great, except for the dropping of the errorpipe logging patch. Some weeks ago I > discussed it with upstream and the outcome was that the patch has not been > accepted because it adds redundant code -- if the patch had unified the logging > process for both accesslog and errorlog, it would have been accepted... So I'm > not quite sure on this one. > > I'll be asking back, but in general introducing this regression for our users > does not sound like a that great idea, especially considering that the patch > has never caused any problems and upstream had no direct objections to it > either, besides adding redundant code. > > I'll let you know once I've got something new. Ok, I talked to Stefan Bühler and the patch is about to be included into the official sources (http://repo.or.cz/w/lighttpd.git?a=commitdiff;h=0160750ce31a5b82cfda16e3fc8f1df08a80bd7d), so let's keep this for 1.4.22 @ gentoo and hope that 1.4.23 will contain it anyway. agreed. i had changed my mind on it already... regarding the spawn-fcgi issue however, i still think it is a good idea to not depend on it. we are breaking existing spawn-fcgi setups this time around anyway, so now is a good time to also drop the dep. all setups not making use of spawn-fcgi are unaffected... My .22 installation is still running fine - no problems so far. Update on the pipe error log: the issue has been fixed upstream: see http://redmine.lighttpd.net/issues/296 Created attachment 191011 [details]
lighttpd-1.4.22-r1.ebuild
minor update. the usebased dep on virtual/httpd-php[cgi] is illegal...
this will likely go in soon.
Comment on attachment 191011 [details]
lighttpd-1.4.22-r1.ebuild
1.4.22-r1 is now in the tree.
closing - users of spawn-fcgi on hppa will have to wait for keywording on it to happen (bug #264840) thanks. |
