Agreed: increasing the scope of the ModSecurity distribution to include an optional package isn't a good pragmatic choice for the reasons already cited by Brian.
 
Furthermore, your example of RPM5 illustrates a reason for those maintainers to bundle Lua (loss of some functionality), but the same doesn't hold for ModSecurity.
 
External (Optional) dependencies are the reason for RPM, .deb, etc. package management: perhaps this issue reveals some demand for a non-source distribution of ModSecurity.
 
Cheers,

Mark Lavi
Senior Web Producer

sgi

46600 Landing Parkway
Fremont, CA 94538
(510) 933-5234 direct
mlavi@sgi.com
www.sgi.com

 


From: yersinia [mailto:yersinia.spiros@gmail.com]
Sent: Saturday, September 26, 2009 2:10 AM
To: Brian Rectanus
Cc: Mike Duncan; mod-security-packagers@lists.sourceforge.net; mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] ModSecurity 2.5.10 Released

On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <brectanu@gmail.com> wrote:
ModSecurity has always required Lua 5.1.x.  Perhaps this version is
finding 5.0 by mistake instead of ignoring it?  The --without-lua
configure option should help you.  I'll look at adding a version check
to the next release.

Could be useful for ModSecurity, in order to improve the portability, put in the tarball the corrected versions of lua, or pcre, .. and decide to configure time (or with a switch to configure) whether to include the private version or link to the one on the system? this is what rpm does for years. Are you interested in this development ? I have some experience with autofu and portability issue, some perhaps i can help in trying but i preferer to ask first.
Thanks 
thanks,
-B

On Fri, Sep 25, 2009 at 12:16 PM, Mike Duncan <Mike.Duncan@noaa.gov> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A heads up...I think that this version requires lua 5.1.4 (possibly a
> little less version tho). I have RHEL 5.4 with lua 5.0.2 from DAG
> installed currently and 2.5.9 seems fine. However, 2.5.10's make fails...
>
> ===
> /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic
> - -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> - -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> - -fno-strict-aliasing  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread
> - -I/usr/include/httpd  -I/usr/include/apr-1   -I/usr/include/apr-1  -O2
> - -g -Wall -I/usr/include/httpd -I/usr/include/httpd -I.
> - -I/usr/include/apr-1 -I/usr/kerberos/include -I/usr/include/libxml2
> - -I/usr/include -DWITH_LUA  -c -o msc_lua.lo msc_lua.c && touch msc_lua.slo
> msc_lua.c: In function 'lua_compile':
> msc_lua.c:96: warning: implicit declaration of function 'luaL_openlibs'
> msc_lua.c: In function 'resolve_tfns':
> msc_lua.c:159: warning: implicit declaration of function 'lua_objlen'
> msc_lua.c: At top level:
> msc_lua.c:338: error: array type has incomplete element type
> msc_lua.c: In function 'lua_execute':
> msc_lua.c:378: warning: implicit declaration of function 'luaL_register'
> apxs:Error: Command failed with rc=65536
> .
> make: *** [mod_security2.la] Error 1
> ===
>
> On another RHEL 5.4 with lua 5.1.4 (devel as well) installed everything
> compiles fine. You can download lua binary packages from here:
> http://luaforge.net/frs/?group_id=110.
>
> Let me know if I am wrong on the versioning or msising something. I
> guess DAG has not updated this package in some time.
>
> Mike Duncan
> ISSO, Application Security Specialist
> Government Contractor with STG, Inc.
> NOAA :: National Climatic Data Center
>
>
> Brian Rectanus wrote:
>> ModSecurity 2.5.10 has been released and is now available.
>>
>> This release fixes a number of small issues.  Notable issues that have
>> been fixed are a cleaner build process, fixes to mlogc to build on
>> Windows and allow more reliable SSL neg. to the console, less verbose
>> logging when using anomaly scoring with CRS v2.x and a feature to
>> allow easier use with Apache mpm-itk.
>>
>> Downloads and docs from modsecurity.org as usual.
>>
>>
>> 18 Sep 2009 - 2.5.10
>> --------------------
>>  * Cleanup mlogc so that it builds on Windows.
>>  * Added more detailed messages to replace "Unknown error" in filters.
>>  * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
>>    auditlog permissions (especially with mpm-itk).
>>  * Cleanup SecUploadFileMode implementation.
>>  * Cleanup build scripts.
>>  * Fixed crash on configuration if SecMarker is used before any rules.
>>  * Fixed SecRuleUpdateActionById so that it will work on chain starters.
>>  * Cleanup build system for mlogc.
>>  * Allow mlogc to periodically flush memory pools.
>>  * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
>>    nothing to the error log.  Prior versions dropped the "Message:" line from
>>    both logs.  To do this now, just use "nolog" or "nolog,noauditlog".
>>  * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
>>    issues with some libcurl versions.
>>  * Fixed mlogc issue seen on big endian machines where content type
>>    could be listed as zero.
>>  * Removed extra newline from audit log message line when logging XML errors.
>>    This was causing problems parsing audit logs.
>>  * Fixed @pm/@pmFromFile case insensitivity.
>>  * Truncate long parameters in log message for "Match of ... against ...
>>    required" messages.
>>  * Correctly resolve chained rule actions in logs.
>>  * Cleanup some code for portability.
>>  * AIX does not support hidden visibility with xlc compiler.
>>  * Allow specifying EXTRA_CFLAGS during configure to override gcc specific
>>    values for non-gcc compilers.
>>  * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
>>  * Handle a newer geo database more gracefully, avoiding a potential crash for
>>    new countries that ModSecurity is not yet aware.
>>  * Allow checking &GEO "@eq 0" for a failed @geoLookup.
>>  * Fixed mlogc global mutex locking issue and added more debugging output.
>>  * Cleaned up build dependencies and configure options.
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Appliances, Rule Sets and Support:
>> http://www.modsecurity.org/breach/index.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkq9FwMACgkQnvIkv6fg9hZCnQCff0odqo/9ex1bkThN0IUXNBXf
> QHkAmwWop19wTZwhUmq4k1VOKv4JyHFH
> =y+b5
> -----END PGP SIGNATURE-----
>

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html