Bug#752922: apache2 upgrade wheezy->jessie breaks certain apache2 modules

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#752922: apache2 upgrade wheezy->jessie breaks certain apache2 modules
From: Alex Bligh <alex@alex.org.uk>
Date: Fri, 27 Jun 2014 19:35:39 +0000
Message-id: <[🔎] 20140627193539.8389.94345.reportbug@debiantest>
Reply-to: Alex Bligh <alex@alex.org.uk>, 752922@bugs.debian.org

Package: apache2
Version: 2.4.9-2
Severity: important

Dear Maintainer,

Upgrading from stable (wheezy) to testing (jessie) permanently breaks certain apache2 modules.

This bug has also been filed for Ubuntu:
  https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1333388
but the Ubuntu folks suggested this should be fixed upstream so I am filing the bug report here. This report should be a bit easier to read.

When stable is upgraded to testing, apache 2.2 is replaced by apache 2.4. Under apache 2.4, the default set of modules build is different to that under apache 2.2, and certain modules (e.g. mod_ident, which is the one that bit me) are not built, and are not included by default in the apache 2.4 package. Nor are they included in any other package.

This is in itself a problem, because any systems relying on these modules will not survive the upgrade.

Worse, though is what happens after an upgrade. I rebuilt mod_ident as a separate .deb in the hope it would work and could be contributed back:

  https://github.com/abligh/libapache-mod-ident

However, this exposes a conffile handling issue which is hard to work around in any normal manner.

The issue is as follows. When apache2.2-common is installed, it has a conffile for the .load file of the relevant module. In this instance:

root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep ident
 /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f

When this is upgraded to jessie (using fist-upgrade), the conffile is (correctly) removed, but the record of the conffile still exists under the apache2.2-common package.

During install we see:
Removing apache2.2-common (2.2.22-13+deb7u1) ...
(Reading database ... 14345 files and directories currently installed.)
Preparing to unpack .../apache2_2.4.9-2_amd64.deb ...
Moving obsolete conffile /etc/apache2/mods-available/authz_default.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/authn_default.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/mem_cache.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/mem_cache.conf out of the way...
Moving obsolete conffile /etc/apache2/mods-available/authn_alias.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/cern_meta.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/disk_cache.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/disk_cache.conf out of the way...
Moving obsolete conffile /etc/apache2/mods-available/ident.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/imagemap.load out of the way...
Unpacking apache2 (2.4.9-2) over (2.2.22-13+deb7u1) ...


but then afterwards:

root@debiantest:~# dpkg --list | fgrep apache
ii  apache2                       2.4.9-2               amd64        Apache HTTP Server
ii  apache2-bin                   2.4.9-2               amd64        Apache HTTP Server (binary files and modules)
ii  apache2-data                  2.4.9-2               all          Apache HTTP Server (common files)
ii  apache2-mpm-worker            2.4.9-2               amd64        transitional worker MPM package for apache2
ii  apache2-utils                 2.4.9-2               amd64        Apache HTTP Server (utility programs for web servers)
ii  apache2.2-bin                 2.4.9-2               amd64        Transitional package for apache2-bin
rc  apache2.2-common              2.2.22-13+deb7u1      amd64        Apache HTTP Server common files
root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep ident
 /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f


Now imagine you have another package which depends on mod_ident to work. It can:

  Depends: apache2, apache2.2-bin | libapache2-mod-ident

which means it will pull in another libapache2-mod-ident module for apache 2.4 at the time of the upgrade as apache2.2-bin will be removed.

However, this then won't install the conffile above as apache2.2-common owns it. Adding Replaces: Breaks: to the 2.4 module is insufficient as thought this marks apache2.2's entry for the conffile as obsolete, the .load file still doesn't get installed. Commit cb55f139c661cd345f1e1234a977f6c17b653bd1 to the version of mod_ident above works around this in a fairly disgusting manner, i.e. Replaces: Breaks:, plus copying the file in manually in the .postinst if it's not already there.

In summary, the change to 2.4 makes it VERY HARD to safely upgrade from wheezy to jessie if a program relies upon the relevant modules. I can see why the auth modules might have been deprecated, but I see no reason why the ident module should have been.

I would suggest:
* Produce a apache2-mod-extra package containing the non-default modules (i.e. build with the 'reallyall' parameter to configure but put these extra modules in a separate package);
 or
* Build the excised modules into separate packages; or
* Reinstate these to the main package

The problem with the third option is now any users of these will have worked around the problem by producing their own package, an updated version which reinstates them will break that package.

The full list of modules affected is (I think):
authn_alias
authn_default
authz_default
cern_meta
disk_cache
ident
imagemap
mem_cache
version



-- Package-specific info:

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13.0-29-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-bin   2.4.9-2
ii  apache2-data  2.4.9-2
ii  lsb-base      4.1+Debian13
ii  mime-support  3.56
ii  perl          5.18.2-4
ii  procps        1:3.3.9-5

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.34

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  apache2-utils                                    2.4.9-2
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.1-2
ii  libaprutil1              1.5.3-2
ii  libaprutil1-dbd-sqlite3  1.5.3-2
ii  libaprutil1-ldap         1.5.3-2
ii  libc6                    2.19-3
ii  libldap-2.4-2            2.4.39-1
ii  liblua5.1-0              5.1.5-5
ii  libpcre3                 1:8.31-5
ii  libssl1.0.0              1.0.1h-3
ii  libxml2                  2.9.1+dfsg1-3
ii  perl                     5.18.2-4
ii  zlib1g                   1:1.2.8.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.9-2
ii  apache2-bin  2.4.9-2

-- no debconf information

Reply to:

Prev by Date: Bug#752872: libapr1: file locking is broken, leading to file corruption in e.g. libapache2-mod-auth-cas session files
Next by Date: Processed: update versions for 734865
Previous by thread: Bug#752872: libapr1: file locking is broken, leading to file corruption in e.g. libapache2-mod-auth-cas session files
Next by thread: Processed: update versions for 734865
Index(es):
- Date
- Thread