Bug#1035748: unblock: modsecurity/3.0.9-1

To: Paul Gevers <elbrus@debian.org>
Cc: Alberto Gonzalez Iniesta <agi@inittab.org>, 1035748@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#1035748: unblock: modsecurity/3.0.9-1
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 1 Jun 2023 22:39:26 +0200
Message-id: <[🔎] 20230601203926.k7j2ag7odftddonv@arxnet.hu>
Reply-to: Ervin Hegedüs <airween@gmail.com>, 1035748@bugs.debian.org
In-reply-to: <[🔎] d611f386-9c5a-2694-ae78-6404f501a16a@debian.org>
References: <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <3faeb882-55b5-f5b0-4f36-6501eb68234a@debian.org> <ZHJpFwGfHEwsHKv8@eldamar.lan> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org> <ZHOr75P4ENeOgO9P@var.inittab.org> <[🔎] d611f386-9c5a-2694-ae78-6404f501a16a@debian.org> <168356261184.101117.8241276422866397839.reportbug@var.inittab.org>

hi there,

sorry to join this conversation :),

On Thu, Jun 01, 2023 at 09:52:06PM +0200, Paul Gevers wrote:
> control: tags -1 moreinfo
> 
> Hi,
> 
> On 28-05-2023 21:30, Alberto Gonzalez Iniesta wrote:
> > 2) The risks on the release quality are almost zero. Only
> > libnginx-mod-http-modsecurity depends on it (being modsecurity a
> > library).
> 
> That's not the only part that we mean here. We also mean, how big is the
> risk we introduce new *unknown* issues.

I think there is absolutely no risk. Bot package (libmodsecurity3
and libnginx-mod-http-modsecurity) is totally new packages, we
won't introduce any "unknown" issues.

Or - sorry to say - I don't see what issues do you think about.

> > 4) No idea
> 
> Then I don't think so. If your upstream would have a decent stable update
> policy, they wouldn't introduce so many gratuitous changes (e.g. white space
> only).

Unfortunately the vendor releases new versions randomly. :(

> > 6) Yes
> 
> I fail to spot it. Can you please point which version?

Hmmm... I don't think so (I mean the correct answer for the 6th
question is no). As I noted above, both packages are totally new.

(But the demand is very big)

> > 7) Its too long but mainly because of line numbers being updated in code
> > comments, like:
> > -#line 1459 "seclang-parser.yy"
> > +#line 1461 "seclang-parser.yy"
> > 8) Not that many code changes
> 
> Yet there is a huge amount of white space changes and other changes that
> look gratuitous. This is really not looking like a targeted fix. @Salvatore,
> can we do a targeted security upload via security?

these files (which created the huge diff) are generated by Bison.
These describe the grammar for the SecLang configuration syntax.

This is how a compiler works: if the developer adds a new token,
change a small behavior, then it can result a huge diff.

(A side note: not these files (above) have huge diff, but the
derived ones: seclang-parser.cc, seclang-parser.hh,
seclang-scanner.cc)

> > 9) Not that difficult :-)
> 
> Might be, but impossible to review between all the cruft.

The mentioned files have huge diff, but those diff's are because
of those files are compiled.

You can consider these like a .am file, which generated from a
.in file with help of autotools.

I'm not sure anyone wants to review a .am file :)

Sorry again,

and thanks for your time/help.

a.

Reply to:

Follow-Ups:
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Paul Gevers <elbrus@debian.org>

References:
- Bug#1035748: unblock: modsecurity/3.0.9-1
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#1035748: unblock: modsecurity/3.0.9-1
Next by Date: Bug#1035748: unblock: modsecurity/3.0.9-1
Previous by thread: Bug#1035748: unblock: modsecurity/3.0.9-1
Next by thread: Bug#1035748: unblock: modsecurity/3.0.9-1
Index(es):
- Date
- Thread