Open thbar opened 4 years ago
It looks like you've correctly summed up the situation. I'm doing some work on the documentation now, so if folks have suggestions I'll take them into account.
So far the following changes have been made: https://github.com/phusion/passenger_library/commit/7dce91cfc05a27dbe004e7437cd1583405a2b837
@CamJN a question that has popped up while discussing this with a client is the following: how secure is the Ubuntu provided nginx
package, compared to the version provided by nginx themselves? Apart from the features difference, are all the CVE patches applied, and also is there a lag in those patches between what nginx provides and what ubuntu will ultimately bundles?
I think it could be useful to add a note on that, because people currently installing 1.14.0
by default on Ubuntu could wonder.
Thanks otherwise for your update, appreciated. I will provide more input if I have more later!
Ubuntu back-ports security patches to their supported versions of packages. I don't have a good link to their policy to provide, unfortunately. But that's why there is a -#ubuntu
style suffix on their packages.
Gathering of information (the whole story)
I'm in the process of moving servers from Ubuntu 16 to Ubuntu 18.
On Ubuntu 16, Passenger was providing both
nginx-extras
andpassenger
together.Readjusting for Ubuntu 18 (following the official guide for Ubuntu 18), I read:
If we read the NGINX installation documentation for Ubuntu, we can read (emphasis mine):
NGINX is here explicitly recommending to use their official repo and not the default Ubuntu repository (the documentation for that can be found here).
If we use the official NGINX repository to install
nginx
, and then follow the Passenger guide, we'll get that error installingibnginx-mod-http-passenger=1:6.0.4-1~bionic1
:In the Passenger 6.0.3 release notes, it is written:
This point has been addressed a bit at https://github.com/phusion/passenger/issues/2122#issuecomment-452082803, and the answer at https://github.com/phusion/passenger/issues/2122#issuecomment-454477833 indicates:
My opinion
1.14.0
is inmain
and therefore should have security fixes, I think it's a bit sad to install by default such an outdated version.Note that I'm not requesting/being entitled to anything (I'm a OSS maintainer myself), merely documenting my surprise.
I've been using Passenger happily since 2008 (I gave a donation back then), but the upgrade from Ubuntu xenial to Ubuntu bionic is more work than my clients would have expected. We are considering migrating to Puma instead, which makes me a bit sad.
Again, not requesting anything - just documenting what I thought would be easier, in hope it will help others, and maybe improve the documentation on that part.