Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 173388 - Review Request: mod_evasive - Denial of Service evasion module for Apache
Summary: Review Request: mod_evasive - Denial of Service evasion module for Apache
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ruben Kerkhof
QA Contact: Fedora Package Reviews List
URL: http://www.nuclearelephant.com/projec...
Whiteboard:
Depends On:
Blocks: FE-ACCEPT
TreeView+ depends on / blocked
 
Reported: 2005-11-16 20:35 UTC by Konstantin Ryabitsev
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-12 16:49:10 UTC
Type: ---
Embargoed:
ruben: fedora-review+
petersen: fedora-cvs+


Attachments (Terms of Use)

Description Konstantin Ryabitsev 2005-11-16 20:35:49 UTC
Spec Name or Url: http://linux.duke.edu/~icon/misc/fe/mod_evasive.spec
SRPM Name or Url: http://linux.duke.edu/~icon/misc/fe/mod_evasive-1.10.1-0.1.src.rpm
Description:
mod_evasive is an evasive maneuvers module for Apache to provide evasive 
action in the event of an HTTP DoS or DDoS attack or brute force attack. It 
is also designed to be a detection and network management tool, and can be 
easily configured to talk to ipchains, firewalls, routers, and etcetera. 
mod_evasive presently reports abuses via email and syslog facilities.

Comment 1 Konstantin Ryabitsev 2005-11-25 15:31:16 UTC
Ping.

Comment 2 Jeff Carlson 2005-11-30 14:32:16 UTC
Regarding the %description, "et cetera" are two words, and the Latin word "et"
means "and," so it is redundant to say "and et...."  Also, I think it is more
appropriate to mention iptables instead of ipchains.  So, I suggest that
penultimate sentence should end "iptables, firewalls, routers, et cetera."  Or
just "etc."


Comment 3 Konstantin Ryabitsev 2005-12-01 15:29:01 UTC
It's just a copy-paste of the description provided by the author on the website.
I'll make the changes.

Comment 4 Iago Rubio 2005-12-01 16:33:35 UTC
> "et cetera" are two words

I disagree. "Et cetera" are two words in latin, but it have been adopted as one
word in most languages with latin roots such as Spanish, Italian, Portuguese,
etcetera ... ;)

It have been adopted by english from Spanish - I think - an exists in english
dictionaries, so if you're not going to tranlate the whole description to latin,
to separate "et cetera" makes no sense for me.

http://dictionary.reference.com/search?q=etcetera

Comment 5 Michael A. Peters 2005-12-01 16:48:40 UTC
I've never seen it as one word in English - though I have seen it simply
abbreviated etc. :)

Comment 6 Matthew Miller 2005-12-01 16:55:40 UTC
Iago -- In English, both are valid but have slightly different meanings and
connotations. In this case, "et cetera" is correct. However, it's probably
better to avoid entirely in %description and actually be specific.

Also, this is ridiculously pedantic and none of us should care. :)

Comment 7 Konstantin Ryabitsev 2005-12-01 17:00:43 UTC
Yes, can I get some comments that don't deal with orthography? :)

Comment 8 Iago Rubio 2005-12-01 18:28:17 UTC
>> Also, this is ridiculously pedantic and none of us should care

Completely agree :)

>> Yes, can I get some comments that don't deal with orthography? :)

Not too much from my side, but it rebuilds fine - warning user icon does not
exist - installs cleanly, and rpmlint is happy.





Comment 9 Joe Orton 2005-12-06 14:19:31 UTC
The module license is not ideal (w.r.t GPL/ASL 2.0 incompatibility) otherwise
looks fine.


Comment 10 Konstantin Ryabitsev 2005-12-06 14:47:14 UTC
I've made a few cosmetic changes to the package:

http://linux.duke.edu/~icon/misc/fe/mod_evasive.spec
http://linux.duke.edu/~icon/misc/fe/mod_evasive-1.10.1-1.src.rpm

* Tue Dec 06 2005 Konstantin Ryabitsev <icon> - 1.10.1-1
- Cleaning up description
- Cleaning up install
- Slight modification to default config (add DOSWhitelist entries)
- Disttagging
- Adding test.pl to docs

If I can get it approved, I'll finish up the process of adding it to extras.

(PS: Not much I can do about the license. :))

Comment 11 Konstantin Ryabitsev 2005-12-19 21:19:42 UTC
Ping.

This has been in the approval queue for over a month now. Can someone finally
approve it, please? :) Pretty please?

Comment 12 Michael A. Peters 2005-12-20 13:03:58 UTC
* rpmlint clean:
[mpeters@jerusalem result]$ ls *.rpm && rpmlint *.rpm
mod_evasive-1.10.1-1.fc4.i386.rpm  mod_evasive-debuginfo-1.10.1-1.fc4.i386.rpm
mod_evasive-1.10.1-1.fc4.src.rpm
[mpeters@jerusalem result]$
* proper naming of package and spec file
* licensed with open source nice license (GPL) - BUT - incompat w/ Apache license
* Spec file American English, readable, etc.
* md5sum matches upstream - 784fca4a124f25ccff5b48c7a69a65e5
* Compiles in FC4 x86 mock
* Correct %files section

NEEDS

It should restart the apache webserver

The license thing - can you ask upstream to change it?
Otherwise I think that is a block because GNU specifies that Apache Software
License is not compat with GPL, and the module uses httpd-devel to build, so I'm
not sure it can go into extras under the GPL license.

Comment 13 Konstantin Ryabitsev 2005-12-20 19:53:59 UTC
OK, I've emailed the developer telling him about the situation. Hopefully he'll
consider switching licenses.

I don't agree that the package should automatically restart apache, though.
Apache restarts are rarely sane, so I'd rather be cautious and let the admin do
the restart on eir own.

Comment 14 Michael A. Peters 2005-12-20 20:44:29 UTC
(In reply to comment #13)

> I don't agree that the package should automatically restart apache, though.
> Apache restarts are rarely sane, so I'd rather be cautious and let the admin do
> the restart on eir own.

If they are installing the module, they can't use it unless they restart it.
Furthermore, there is the update issue.

Security hole found in package - update issued.
Sysadmin has yum running as a service to update his system.
He checks the rpm - thinks he's safe because it's at patch level, but since
apache hasn't restarted he's vulnerable.

-=-
Any comments from packaging veterans on this?

Comment 15 Konstantin Ryabitsev 2005-12-20 20:58:37 UTC
Yeah, but this isn't any different from any other security update to apache.
Currently, rpm -q --scripts httpd show:

preinstall scriptlet (using /bin/sh):
# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \
        -s /sbin/nologin -r -d /var/www apache 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
# Register the httpd service
/sbin/chkconfig --add httpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
        /sbin/service httpd stop > /dev/null 2>&1
        /sbin/chkconfig --del httpd
fi

If the main apache package isn't doing automatic restarts for updated packages,
then I don't think an apache module package should act differently.



Comment 16 Joe Orton 2005-12-21 00:17:28 UTC
IMO doing anything to running services on package upgrades is generally evil. 
(occasionally a necessary evil, but not in this case).  General case is that the
admin may have made config changes which they do not yet want to apply.  They
may want to do a graceful restart to avoid kicking off active clients.  etc.

Doing an httpd restart for a module upgrade would definitely be very evil
(imagine "yum update mod_foo mod_bar mod_baz ...").


Comment 17 Michael A. Peters 2005-12-21 00:59:36 UTC
OK.
That's fine then.

Comment 18 Tim Jackson 2006-08-05 23:58:24 UTC
Anything standing in the way of this being approved now?

Comment 19 Christian Iseli 2006-10-18 13:05:32 UTC
Normalize summary field for easy parsing

Comment 20 Konstantin Ryabitsev 2007-01-02 20:21:18 UTC
This has been in review queue for over a year now. :)

Can we please approve it or discard it?

Comment 21 Kevin Fenzi 2007-01-04 03:27:51 UTC
There is a policy to deal with this sort of thing: 
http://fedoraproject.org/wiki/Extras/Policy/StalledReviews

Consider this to indicate that the review is stalled and that a response is
needed soon.

If there is no response in 1 week, we will move this back to NEW and someone 
else can review it. 


Comment 22 Mamoru TASAKA 2007-01-27 07:32:00 UTC
(In reply to comment #21)
> If there is no response in 1 week, we will move this back to NEW and someone 
> else can review it. 
> 

Switching to FE-NEW

Comment 23 Ruben Kerkhof 2007-01-28 00:59:07 UTC
Hi Konstant,

Review for release 1.10.1-1
* RPM name is OK
* Builds fine in mock
* rpmlint looks OK
* File list looks OK
* Config files of mod_evasive look OK

Needs work:
* Source 0 is not available (http://www.nuclearelephant.com/projects/mod_evasive/
mod_evasive_1.10.1.tar.gz). The project is now at http://www.zdziarski.com/projects/mod_evasive/
* Spec file: some paths are not replaced with RPM macros
  Please replace /usr/sbin/apxs with %{_sbindir}/apxs



Comment 25 Ruben Kerkhof 2007-02-03 21:28:17 UTC
Looks perfect. This package is APPROVED.

Comment 26 Ruben Kerkhof 2007-03-15 17:45:01 UTC
Hi Konstantin

Are you still planning on adding this package to Extras?

Comment 27 Ruben Kerkhof 2007-03-18 10:00:21 UTC
Setting fedora-review flag as per http://fedoraproject.org/wiki/PackageReviewProcess

Comment 28 Konstantin Ryabitsev 2007-04-03 16:22:11 UTC
New Package CVS Request
=======================
Package Name: mod_evasive
Short Description: Denial of Service evasion module for Apache
Owners: icon
Branches: FC-6, EL-4, EL-5
InitialCC: 

Comment 29 Jens Petersen 2007-04-06 06:23:27 UTC
done

Comment 30 Ruben Kerkhof 2007-05-12 16:25:28 UTC
Konstantin, are you still planning on building this?

Comment 31 Konstantin Ryabitsev 2007-05-12 16:49:10 UTC
It's build for apache-2.0 systems, which pretty much means EL-4. It doesn't work
under apache-2.2 at the moment.


Note You need to log in before you can comment on or make changes to this bug.