#6 add conditionals for EPEL7, see rhbz#1750857
Merged 4 months ago by wtogami. Opened 5 months ago by wtogami.
rpms/ wtogami/nginx epel7sync  into  master

file modified
+23 -2

@@ -16,7 +16,7 @@ 


  %global with_aio 1


- %if 0%{?fedora} > 22

+ %if 0%{?fedora} > 22 || 0%{?rhel} >= 8

  %global with_mailcap_mimetypes 1



@@ -60,7 +60,16 @@ 

  BuildRequires:     zlib-devel


  Requires:          nginx-filesystem = %{epoch}:%{version}-%{release}

+ %if 0%{?el7}

+ # centos-logos el7 does not provide 'system-indexhtml'

+ Requires:          system-logos redhat-indexhtml

+ # need to remove epel7 geoip sub-package, doesn't work anymore

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1576034

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1664957

+ Obsoletes:         nginx-mod-http-geoip <= 1:1.16

+ %else

  Requires:          system-logos-httpd

+ %endif


  %if 0%{?rhel} > 0 && 0%{?rhel} < 8

  # Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.

@@ -134,7 +143,7 @@ 

  %package mod-http-perl

  Summary:           Nginx HTTP perl module

  BuildRequires:     perl-devel

- %if 0%{?fedora} >= 24

+ %if 0%{?fedora} >= 24 || 0%{?rhel} >= 7

  BuildRequires:     perl-generators


  BuildRequires:     perl(ExtUtils::Embed)

@@ -282,8 +291,17 @@ 



  rm -f %{buildroot}%{_datadir}/nginx/html/index.html

+ %if 0%{?el7}

+ ln -s ../../doc/HTML/index.html \

+       %{buildroot}%{_datadir}/nginx/html/index.html

+ ln -s ../../doc/HTML/img \

+       %{buildroot}%{_datadir}/nginx/html/img

+ ln -s ../../doc/HTML/en-US \

+       %{buildroot}%{_datadir}/nginx/html/en-US

+ %else

  ln -s ../../fedora-testpage/index.html \


+ %endif

  install -p -m 0644 %{SOURCE102} \


  ln -s nginx-logo.png %{buildroot}%{_datadir}/nginx/html/poweredby.png

@@ -459,6 +477,9 @@ 




+ * Sun Sep 15 2019 Warren Togami <warren@blockstream.com>

+ - add conditionals for EPEL7, see rhbz#1750857


  * Tue Aug 13 2019 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.16.1-1

  - Update to upstream release 1.16.1

  - Fixes CVE-2019-9511, CVE-2019-9513, CVE-2019-9516

nginx.spec conditionals so EPEL7's nginx can be maintained along with modern Fedora's nginx.

We are forced to upgrade due to CVE's and no upstream?

I tested this on my EPEL7 x86-64 machine with:

yum remove 'nginx*'
yum install nginx -y
systemctl restart nginx
# Check both default indexhtml http://IPADDRESS and custom https://DOMAINAME
yum update 'nginx*.rpm' -y
systemctl restart nginx
# Check both default indexhtml http://IPADDRESS and custom https://DOMAINAME

Note: My /etc/nginx/nginx.conf is unmodified thus the new RPM replaced it. My only custom config is within /etc/nginx/conf.d/*
Other people who had modified their nginx.conf need to test this upgrade path.

Thans for the PR, Warren. Nice to see you around here again ;-)
I'll look into it. But from a master branch perspective I don't see much harm being done here.
I don't run nginx on EL and therefor have no way of extensively testing any changes there, so I appreciate your call for help on Twitter in that regard.

I'll look at it a bit more detailed tomorrow and merge if I find everything looks good.

For master branch the review should confirm that it makes no change for Fedora 30+.

The implied next step is to git merge master into the epel7 branch, which would not really be a merge but rather total replacement of the contents currently there. From then on the goal would be to update EPEL7 with clean git merge without conflicts as there would be zero difference between the SRPM of Fedora and EPEL7.

This package on EL7 is what needs serious testing especially for systems who had modified nginx.conf.

As I mentioned in the BZ, another option would be to use the spec from the nginx 1.14 stream in RHEL8 - https://git.centos.org/rpms/nginx/tree/c8-stream-1.14 which was recently updated to fix various CVEs

The reality is the Fedora package is best maintained so if we want EPEL7 to be well maintained nginx.spec should be kept in sync with Fedora master branch. It was very easy for me to adapt the f32 nginx.spec to work properly on EPEL7.

Upgrading past the RHEL8 version is not a good argument against doing it as the RHEL8 version is outside of our control. Fedora/EPEL are within our control thus we should do what's best for it.


During the EPEL meeting earlier today people agreed we should synchronize the EPEL7 branch with Fedora to make it easier to maintain going forward. I heard a few reports that the upgrade was uneventful for a few customized configs but not enough people tested it. So it was agreed during the meeting that we would git merge master into EPEL7 then build it into testing for the standard 2 weeks or 3 votes. The time to object to the upgrade is during the Bodhi karma voting if you find an actual bug.

One thing is clear though, upgrading the version is our only option. It is debatable to what or how but nobody is expressing any strong opinions here so this is going into testing.

Pull-Request has been merged by wtogami

4 months ago

Sounds good to me! Thanks for taking this forward.