Bug#487431: ITP: libapache-mod-security2 -- Tighten web applications security for Apache

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-legal@lists.debian.org, Ivan Ristic <ivan.ristic@gmail.com>
Subject: Bug#487431: ITP: libapache-mod-security2 -- Tighten web applications security for Apache
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Sat, 21 Jun 2008 21:21:51 +0200
Message-id: <[🔎] 20080621192151.GA11882@var.inittab.org>
Mail-followup-to: Debian Bug Tracking System <submit@bugs.debian.org>, debian-legal@lists.debian.org, Ivan Ristic <ivan.ristic@gmail.com>
Reply-to: Alberto Gonzalez Iniesta <agi@inittab.org>, 487431@bugs.debian.org

Package: wnpp
Severity: wishlist
Owner: Alberto Gonzalez Iniesta <agi@inittab.org>

* Package name    : libapache-mod-security2
  Version         : 2.5.x
  Upstream Author : Breach Security, Inc. (http://www.breach.com/)
* URL             : http://www.modsecurity.org/
* License         : GPLv2
  Programming Lang: C
  Description     : Tighten web applications security for Apache

 Mod_security is an Apache 1.x/2.x module whose purpose is to tighten the Web
 application security. Effectively, it is an intrusion detection and prevention
 system for the web server.
 .
 At the moment its main features are:
 * Audit log; store full request details in a separate file, including POST
   payloads.
 * Request filtering; incoming requests can be analysed and offensive requests
   can be rejected (or simply logged, if that is what you want). This feature
   can be used to prevent many types of attacks (e.g. XSS attacks, SQL
   injection, ...) and even allow you to run insecure applications on your
   servers (if you have no other choice, of course).


**********************
** To: debian-legal **
**********************

I'm Cc'ing debian-legal because this package was removed from Debian [1]
due to GPLv2 and Apache licences not being compatible [2][3].
After some threads in upstream's mailing list, great interest from users
and some work from upstream [4], they (upstream) wrote a exception (draft)
in order to get ModSecurity back to Debian [5]. 

So upstream is basically waiting the green light from -legal on this
draft so the new release already includes it.

I'm sending this ITP because I understand this exception should solve
the problem and got positive feedback from other DDs. So please, if you
see something wrong with this talk now or STFU forever :)

Please Cc: me and Ivan since we're not subscribed.

Thanks,

Alberto


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313615
[2] http://www.gnu.org/philosophy/license-list.html#GPLIncompatibleLicenses
[3] http://www.thinkingstone.com/about/legal/licensing-clarifications.html
[4] http://lists.debian.org/debian-legal/2008/01/msg00172.html
[5] http://blog.modsecurity.org/2008/06/modsecurity-lic.html


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25.6 (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-- 
Alberto Gonzalez Iniesta       | They that give up essential liberty
agi@(agi.as|debian.org)        | to obtain a little temporary safety
Encrypted mail preferred       | deserve neither liberty nor safety.
                                               -- Benjamin Franklin
Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Reply to:

Prev by Date: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Next by Date: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Previous by thread: Re: subversion 1.5.0 in experimental
Next by thread: Bug#487451: ITP: librt-client-console-perl -- Text based RT console
Index(es):
- Date
- Thread