Re: [mod-security-packagers] ModSecurity 3.x (almost) enters Debian

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Regardless of the dependencies, the test should not fail. There are three
different possible result for a test case:

Pass, Fail, Disable.

The Disable is used when an optional resource was disabled. Either because
it was manually disabled or because the build did not managed to find the
need dependency.

In the config.log we may be able to identify the optional libraries. I
would recommend to build with all dependencies. The configure output should
be somewhat similar to this:

ModSecurity - v3.0.2-131-g8d8c8748 for Linux

Mandatory dependencies
  + libInjection                                  ....v3.0.2-131-g8d8c8748
  + SecLang tests                                 ....8d8c8748

Optional dependencies
  + GeoIP/MaxMind                                 ....found
     * (MaxMind) v1.3.2
        -lmaxminddb , -DWITH_MAXMIND
     * (GeoIP) v1.6.12
        -lGeoIP , -I/usr/include/
  + LibCURL                                       ....found v7.61.1
     -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
  + YAJL                                          ....found v2.1.0
     -lyajl , -DWITH_YAJL -I/usr/include/yajl
  + LMDB                                          ....disabled
  + LibXML2                                       ....found v2.9.8
     -lxml2 -lz -llzma -licui18n -licuuc -licudata -lm -ldl,
-I/usr/include/libxml2 -DWITH_LIBXML2
  + SSDEEP                                        ....found
     -lfuzzy -L/usr/lib/, -DWITH_SSDEEP -I/usr/include
  + LUA                                           ....found v503
     -llua5.3 -L/usr/lib/, -DWITH_LUA -I/usr/include

Other Options
  + Test Utilities                                ....enabled
  + SecDebugLog                                   ....enabled
  + afl fuzzer                                    ....disabled
  + library examples                              ....enabled
  + Building parser                               ....disabled
  + Treating pm operations as critical section    ....disabled

I am afraid we may have a problem in our build scripts, due to a missing
header or library. The script is may confuse by the time it educated guess
the platform. Leading to run time issues in structures like the one used to
map ips. But that is just a guess, i have to see the logs to tell for sure.

Optional dependency list: lua, ssdeep, libxml2, yajl, libcurl, maxmind.

Br.,
F.

On Fri, Oct 19, 2018 at 11:26 AM Ervin Hegedüs <ai...@gm...> wrote:

> Hi Felipe,
>
> On Fri, Oct 19, 2018 at 10:21:14AM -0300, Felipe Zimmerle wrote:
> > Hi,
> >
> > Good to hear that we are having those packages :) that should increase
> even
> > more the adoption of v3 :) Kudos!!!!
>
> we're just going to have the package, I think it's a little bit
> far, but even closer :)
>
> > Same as Ervin here, I am not able to reproduce the regression tests
> > failures. Do you mind to share the configuration/compilation logs?
>
> which logs do you mean? pbuilder or "native" build logs?
>
> I'm afraid that the result misleads us (you and me), because (I
> think) you also have a build environment with several installed
> libraries, which aren't mandatory.
>
> That's in my build system (which is a simple LXC container) - I've
> built modsecurity as several times :), with different ways...
>
> But the error comes only on Debian's build environment, where the
> builder flow starts in a "clean" base system, and it installs the
> necessary packages, what the developer/maintainer listed in
> d/control.... I don't know yet, I'll check it out at this
> weekend.
>
>
>
> Regards,
>
>
> a.
>
>