Bug#959195: marked as done (apache2: Extras for deflate.conf: text/javascript)

Subject: Bug#959195: marked as done (apache2: Extras for deflate.conf: text/javascript)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Sat, 08 Aug 2020 08:27:04 +0000

Message-id: <[🔎] handler.959195.D959195.15968750013280.ackdone@bugs.debian.org>

References: <E1k4K8M-000J4c-De@fasolo.debian.org> <CAMjSS5NPbzqgU6Yj1XXji2K=vjnUepq+cQCws1ApJtD_xfMuDw@mail.gmail.com>

Your message dated Sat, 08 Aug 2020 08:23:18 +0000 with message-id <E1k4K8M-000J4c-De@fasolo.debian.org> and subject line Bug#959195: fixed in apache2 2.4.46-1 has caused the Debian Bug report #959195, regarding apache2: Extras for deflate.conf: text/javascript to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 959195: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959195 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: apache2: Extras for deflate.conf: text/javascript
From: Timo Tijhof <ttijhof@wikimedia.org>
Date: Thu, 30 Apr 2020 18:01:45 +0100
Message-id: <CAMjSS5NPbzqgU6Yj1XXji2K=vjnUepq+cQCws1ApJtD_xfMuDw@mail.gmail.com>

Package: apache2
Version: 2.4.25

The default deflate.conf file provided in the Debian package for apache2
instructs the server to consider compressing responses for
application/_javascript_. [1]

This MIME type is declared as canonical for ".js" by RFC 4329, [2] and is
also associated with ".js" in the default mime.types file. This means for
static JS files served from disk, Apache compresses them out-of-the-box.

However, out in the wild, the text/_javascript_ MIME type is quite common,
if not more common, [3] than application/_javascript_. As such, when Apache
proxies responses from CGI applications or from other external services,
it often ends up not compressing _javascript_ responses.

This is currently known to affect MediaWiki, WordPress, and likely other
popular web applications as well. [4][5] It can be non-trivial for an
upstream like MediaWiki to change this as these MIME types may be deeply
embedded in stable APIs and data structures. For example, it's database
schema and its `ctype` HTTP query parameter both require `text/_javascript_`.

RFC 4329 defines "equivalent processing requirements for text/_javascript_,
… and application/_javascript_". As such, I think Apache2 should consider
both of these for compression by default.

This has the potential to have a big impact on the web. As an example, there
seem to be lots of public MediaWiki sites out there who use Debian Linux (or
downstreams like Ubuntu), and have mod_deflate enabled with the default
compression for text/html and text/css, but have apparently not realised the
lack of JS compression and/or were unable to configure it. [6]

I am new to Debian and its bug tracker and would be interested in submitting
a patch for this if the request is accepted.

-- Timo Tijhof

Principal Engineer,
Performance Team,
Wikimedia Foundation.

[1] Original patch: https://salsa.debian.org/apache-team/apache2/-/commit/4d93abc8899873ff27080f9261093a02e47320e4

[2] RFC 4329: https://tools.ietf.org/html/rfc4329

[3] text/_javascript_ might become the canonical instead:
https://datatracker.ietf.org/doc/draft-ietf-dispatch-_javascript_-mjs/

[4] WordPress: https://github.com/WordPress/WordPress/blob/5.4.1/wp-includes/SimplePie/Misc.php#L2130

[5] MediaWiki: https://gerrit.wikimedia.org/g/mediawiki/core/+/1.34.1/includes/resourceloader/ResourceLoader.php#892

[6] StackOverflow: https://duckduckgo.com/?q=stackoverflow+"text%2Fjavascript"+"apache"+"deflate"

--- End Message ---

--- Begin Message ---

To: 959195-close@bugs.debian.org
Subject: Bug#959195: fixed in apache2 2.4.46-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 08 Aug 2020 08:23:18 +0000
Message-id: <E1k4K8M-000J4c-De@fasolo.debian.org>
Reply-to: Xavier Guimard <yadd@debian.org>

Source: apache2
Source-Version: 2.4.46-1
Done: Xavier Guimard <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 959195@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 08 Aug 2020 08:33:36 +0200
Source: apache2
Architecture: source
Version: 2.4.46-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 959195
Changes:
 apache2 (2.4.46-1) unstable; urgency=medium
 .
   [ Xavier Guimard ]
   * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
 .
   [ Timo Tijhof ]
   * Compress text/javascript with mod_deflate by default (Closes: #959195)
 .
   [ Xavier Guimard ]
   * Add "Multi-Arch: same" to apache2-ssl-dev and libapache2-mod-md
   * Update upstream keys
   * New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
     CVE-2020-9490)
Checksums-Sha1: 
 785c470e0c271f563be95c23787fa29e4ca243cb 3498 apache2_2.4.46-1.dsc
 15adb7eb3dc97e89c8a4237901a9d6887056ab98 9363314 apache2_2.4.46.orig.tar.gz
 96ff0c0be9dfa41b6b2916692c5883f7cb50486d 862 apache2_2.4.46.orig.tar.gz.asc
 96f6b22a2f105e9646447ca3eb46406c48e5f956 1033972 apache2_2.4.46-1.debian.tar.xz
Checksums-Sha256: 
 a51708ac77cc377429ffa834459493ca527029ff133030f6590620c1e8d39665 3498 apache2_2.4.46-1.dsc
 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2 9363314 apache2_2.4.46.orig.tar.gz
 ed268f11c6e5d18bb6b38cd7a53fe78b4897a78ce9413e782637894a43ba2c28 862 apache2_2.4.46.orig.tar.gz.asc
 b1079b9e7a68b0fbca3c011035827ba2083541792141339e96a16958f101b85c 1033972 apache2_2.4.46-1.debian.tar.xz
Files: 
 0a5eca5fc7c6737e2522c9078f36f8cd 3498 httpd optional apache2_2.4.46-1.dsc
 3082ea090be8dd4edeeeceb36e1aa548 9363314 httpd optional apache2_2.4.46.orig.tar.gz
 362b5dac679a39fe4aa11e9244de2361 862 httpd optional apache2_2.4.46.orig.tar.gz.asc
 8b4676df5de6bfd07662c909e4455124 1033972 httpd optional apache2_2.4.46-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl8uV5QACgkQ9tdMp8mZ
7ul8mw/+N0xizgF5cx6x0BgtTl1BRi+KEx5wAcXrY7uTO/2zAhnBVR5xRe+cPudl
i+SgK96zLWyfmr8mYCT7S5yCrBeMIWzFcKMHuQ9EbqI7N4Rsw36F9CRTlQ08nd1A
XcaZ95mAh8ozeRBYYcUZ+yLw/dxjqb6brR4v7zbw0mDJciFocve2z+gfc0rcNAk6
i1vOB3npXMbGgNck/CDpkoKQycMUKZWrVZdanhCEQKo3rqtbTTg7jussHjyI3L5M
BEJWA65nIscrf8T1U/YsYoXoVJReqNbWxTNz3wiODeuwMN5GKoiC4BIubfUoBVPu
M4QwZchSUoMyLnYU1LkOcaYbOMPyiXkob6/v0wxnhydNbudCTxKxazIJgh9dyq9D
Owi3jHvL2hGg4ObzDGKH8KCq2ZKCV/urQ7/Pr6Z1jPdFT6BD3MpHVAa4vTf2f/+Y
sugSVaN8SfmZxq5/MchjNgE/pfxRqRoIJ8omOYp+l34b41g8YvxVHyZkpiQuZTN9
11rRCpa5j4zhOn638Khw8Wb7eV8Py3wFpkBvYfIXXI3volqWZaVFFTS8czSRa27g
v1HBGzQlsQSLCCUTcU/9pCBudU0z2y/3Sucd7QSVLZdf13yXXiePF4q8zj4W7+ya
7iFU/MBr7klWjKFHE+KFxO1R2OXtZLYG4MYG+2qaVGfb2k8cwvY=
=qFHD
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: