Re: apache2 DSA considerations for etch
I assume that you are part of the Debian Apache Maintainers and hence
should notice when the security team updates Apache 2/2.2.
Why isn't apache2-mpm-itk built as part of the Apache 2 package?
Steinar H. Gunderson wrote:
> I was asked to check this with you before the RMs would let apache2-mpm-itk
> into etch.
> apache2-mpm-itk is an unofficial MPM for Apache 2.0 and up (although it has
> only ever existed in Debian for 2.2). It basically builds by depending on
> apache2-src, extracting that, patching itself in, building, and putting the
> /usr/sbin/apache2 binary into the .deb. (This is exactly what the other MPMs
> do, except that this one come from a different source package and requires
> a patch.)
> This means that every time apache2 is revved, apache2-mpm-itk will have to be
> rebuilt. A simple binNMU will suffice; the scripts automatically figure out
> the apache2-common version to depend on, and any changes to apache2
> automatically trickle down into -mpm-itk (since it uses apache2-src as a
> base). However, this also means that the security team will have to do the
> same when fixing security bugs in apache2; if a bug is discovered,
> apache2-mpm-itk will need to be rebuilt (without any source changes, though,
> assuming the hole isn't specific to -mpm-itk, of course).
At least the code doesn't exist twice.
> Would this be OK for the security team? (I do not know of any objections from
> the debian-apache team; after all, apache2-src was added explicitly to
> support apache2-mpm-itk, as the debian-apache team currently does not want
> -mpm-itk within their own package.)
*sigh* That would've been the best solution.
I'd say this is ok, however, please watch security updates as the security
team will probably forget to update apache2-mpm-itk when apache2 has been
Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier