Bug 1672678

Summary:	libmodsecurity: update to 3.0.3 release
Product:	[Fedora] Fedora	Reporter:	Denis Fateyev <denis>
Component:	libmodsecurity	Assignee:	Othman Madjoudj <athmanem>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	athmanem, dridi.boukelmoune
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-07-02 08:22:43 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Denis Fateyev 2019-02-05 15:42:30 UTC

Description of problem:

Libmodsecurity 3.0.3 upstream release is available [1,2].

Please update to the recent version in Fedora and EPEL7 branches.

Thanks!

 [1] https://www.modsecurity.org/

 [2] https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.3/modsecurity-v3.0.3.tar.gz

Comment 1 Denis Fateyev 2019-03-31 15:30:02 UTC

Any update here?

Comment 2 Fedora Update System 2019-03-31 19:14:18 UTC

libmodsecurity-3.0.3-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ee5a421a8a

Comment 3 Fedora Update System 2019-03-31 19:34:27 UTC

libmodsecurity-3.0.3-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9a7ee8ddd8

Comment 4 Fedora Update System 2019-03-31 20:20:32 UTC

libmodsecurity-3.0.3-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-1e12b7c8b4

Comment 5 Othman Madjoudj 2019-03-31 20:23:03 UTC

Updates will hit testing repos soon, please test and provide feedback via karma if possible.

Comment 6 Fedora Update System 2019-04-01 01:33:03 UTC

libmodsecurity-3.0.3-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ee5a421a8a

Comment 7 Fedora Update System 2019-04-01 02:06:43 UTC

libmodsecurity-3.0.3-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9a7ee8ddd8

Comment 8 Fedora Update System 2019-04-01 02:15:24 UTC

libmodsecurity-3.0.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-1e12b7c8b4

Comment 9 Dridi Boukelmoune 2019-04-01 09:54:43 UTC

I don't think we can push this to Fedora outside of Rawhide. A rebuild is needed on aarch64 for dependent packages since it apparently breaks the ABI on those platforms so it's too late for f30.

I need to double check that epel7 is x86_64-only in which case it would be OK to push there.

Comment 10 Dridi Boukelmoune 2019-04-01 09:55:46 UTC

No, epel7 is also not OK apparently: https://koji.fedoraproject.org/koji/buildinfo?buildID=1240700

Comment 11 Denis Fateyev 2019-04-01 12:46:14 UTC

Which packages depend on this ABI version?
If yuo have an access, you can update everything within one update cycle (build libmodsecurity, make override in Bodhi, build dependants, push all builds as one solid update).

Comment 12 Dridi Boukelmoune 2019-04-01 13:12:58 UTC

> Which packages depend on this ABI version?

I don't know and it would be easy to find out with dnf, but end users are entitled to stability for a given Fedora release so we can't push this update outside of rawhide right now.

Also, I misread the report and even x86_64 breaks:

https://taskotron.fedoraproject.org/artifacts/all/7b2bc0be-53eb-11e9-9601-525400fc9f92/tests.yml/libmodsecurity-3.0.3-1.fc29.log
https://taskotron.fedoraproject.org/artifacts/all/7b45338c-53eb-11e9-9d55-525400fc9f92/tests.yml/libmodsecurity-3.0.3-1.fc29.log
https://taskotron.fedoraproject.org/artifacts/all/d0fadd02-53e8-11e9-9d55-525400fc9f92/tests.yml/libmodsecurity-3.0.3-1.fc30.log
https://taskotron.fedoraproject.org/artifacts/all/d11716d4-53e8-11e9-9601-525400fc9f92/tests.yml/libmodsecurity-3.0.3-1.fc30.log

Comment 13 Denis Fateyev 2019-04-01 14:03:30 UTC

I don't see any dependants from "libmodsecurity", except its auxiliary packages (libmodsecurity-devel, libmodsecurity-static).

# repoquery --whatrequires libmodsecurity
libmodsecurity-devel-0:3.0.2-3.el7.x86_64
libmodsecurity-static-0:3.0.2-3.el7.x86_64

I really doubt you would break anything with bumping ABI in "libmodsecurity".

Comment 14 Dridi Boukelmoune 2019-04-04 06:57:52 UTC

I tried this instead:

    dnf repoquery --enablerepo=*-source --whatrequires libmodsecurity-devel

No dependent package, which means it's good to go in rawhide and f30. We can't break f29 because there may be users of the package and they shouldn't have to rebuild whatever uses this library on their systems, I'm one of them.

Comment 15 Othman Madjoudj 2019-04-05 20:38:33 UTC

Sorry for late response, I'll unpush them on the stable branch, I usually dont update the stable branches unless the project is in it early stages (.0 is often buggy), plus I checked that nothing depend on it.


@Dridi: out of curiosity, do you use libmodsecurity 3.x in production ? (via Apache httpd/nginx/varnish/ ...), I'm asking because the plan is to make mod_secuirty3 the main package and leave mod_security (aka mod_security2) for while before retiring it (probability when RHEL 7 will hit EOL)

Comment 16 Denis Fateyev 2019-06-07 23:54:54 UTC

This ticket is still in ON_QA state. Could you check and resolve it?
Thanks.

Comment 17 Dridi Boukelmoune 2019-07-01 09:35:35 UTC

I tried to reply to this ticket on June 11th but I've been unable to login with either my FAS account or my email/password for a long while now (not that I checked everyday).

My wannabe answer from then:

> We may have to rethink how we ship libmodsecurity, see this thread:
>
> https://github.com/SpiderLabs/ModSecurity/issues/2115

Dridi

Comment 18 Denis Fateyev 2019-07-01 18:02:48 UTC

Okay, but meanwhile libmodsecurity developers elaborate consistent ABI scheme support, we can push the package to Rawhide (where ABI change doesn't affect anything), and close the bug.

Comment 19 Dridi Boukelmoune 2019-07-01 18:51:00 UTC

I think they will more likely not guarantee ABI stability, but this is only my assumption from the first reply I got. They may surprise me, but I don't think they will commit to any form of stability, from what I could glean from coworkers even simply plugging a leak ended up with an ABI change between 3.0.2 and 3.0.3 and I wouldn't be surprised if they added such a goal to their 3.1 roadmap instead.

However this is pure speculation, if interested parties have a github account, they can subscribe to that thread and wait for upstream's statement.

Comment 20 Denis Fateyev 2019-07-01 19:58:34 UTC

OK. Would you mind to push libmodsecurity-3.0.3 update to Rawhide, since it can be used there as is?

Comment 21 Dridi Boukelmoune 2019-07-01 20:32:20 UTC

It was already done by Athmane Madjoudj:

https://apps.fedoraproject.org/packages/libmodsecurity/

Comment 22 Denis Fateyev 2019-07-01 20:48:26 UTC

Thanks, haven't noticed that for some reason. So this issue be closed with CLOSED/RAWHIDE.