[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

nginx Build-Depended on 3rd-party module source

  Hello security team,

I'm working on debianizing uWSGI [1]. You can see my work on git.debian.org [2]. I've already found the sponsor (Alexander GQ Gerasiov) and now we are in discussing some final details. One of these details is question about needing in package uwsgi-nginx-module-dev. This is one of builded binary packages containing just the source of uWSGI nginx module. Any nginx module must be compiled in nginx binary [3] [4], so I've contacted with nginx maintainer (Kartik Mistry) and asked him for adding uwsgi-nginx-module-dev in Build-Depends of nginx (along with including '--add-module' stanza in debian/rules). Kartik agrees. But then Alexander raised a question, which I want to ask in security-related list. If nginx will be Build-Depended on binary package with 3rd-party module source, will it breaks any Debian security rules or not?

[1] http://projects.unbit.it/uwsgi/
[2] http://git.debian.org/?p=collab-maint/uwsgi.git;a=summary
[3] http://wiki.nginx.org/Nginx3rdPartyModules
[4] http://www.evanmiller.org/nginx-modules-guide.html#compiling

Reply to: