[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

apache2 DSA considerations for etch


I was asked to check this with you before the RMs would let apache2-mpm-itk
into etch.

apache2-mpm-itk is an unofficial MPM for Apache 2.0 and up (although it has
only ever existed in Debian for 2.2). It basically builds by depending on
apache2-src, extracting that, patching itself in, building, and putting the
/usr/sbin/apache2 binary into the .deb. (This is exactly what the other MPMs
do, except that this one come from a different source package and requires
a patch.)

This means that every time apache2 is revved, apache2-mpm-itk will have to be
rebuilt. A simple binNMU will suffice; the scripts automatically figure out
the apache2-common version to depend on, and any changes to apache2
automatically trickle down into -mpm-itk (since it uses apache2-src as a
base). However, this also means that the security team will have to do the
same when fixing security bugs in apache2; if a bug is discovered,
apache2-mpm-itk will need to be rebuilt (without any source changes, though,
assuming the hole isn't specific to -mpm-itk, of course).

Would this be OK for the security team? (I do not know of any objections from
the debian-apache team; after all, apache2-src was added explicitly to
support apache2-mpm-itk, as the debian-apache team currently does not want
-mpm-itk within their own package.)

/* Steinar */
Homepage: http://www.sesse.net/

Reply to: