Old builds preserved in "stable" PPA?

Asked by Greg Back on 2019-08-22

I'm not sure if this is the best place to ask this. If not, I apologize.

We are trying to use the nginx/stable PPA (https://launchpad.net/~nginx/+archive/ubuntu/stable), and have a pinned version in our build scripts, because we build custom dynamic modules against this build (which we include and install manually). When the version in that PPA recently changed from 1.16.0 to 1.16.1, it broke our build process. We are using this PPA because the nginx package in the main Ubuntu package repos (for 18.04) is still 1.14.

Am I misunderstanding the purpose of the nginx/stable PPA. Is there a place that I can reliably reference a pinned version of nginx 1.16? Obviously we should plan to upgrade as new versions are released, but I would prefer to do that on our timeline rather than having the version we're using disappear.

Thanks so much!

Question information

Language:
English Edit question
Status:
Solved
For:
Nginx Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Best Manfred Hampl (m-hampl) said :
#1

Changes with nginx 1.16.1 13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).

If these security patches break your build process, then something is wrong with it.

It is your decision when and how you install version updates.
You can configure your local system to stick to an older version (e.g. by apt pinning). This is completely independent from the repository sources that you use (Ubuntu's official sources or PPAs).

Superseded version are also removed from Ubuntu's official repositories, so that is not different with PPAs.

Revision history for this message
Greg Back (gtback) said :
#2

Thanks, Manfred. I didn't realize that the official Ubuntu repositories behave the same way.

We have compiled artifacts that depend on a specific version of nginx, but still wanted to rely on a .deb package for installing nginx (for easy integration with Ubuntu users/permissions/services, etc.).

Sounds like we need to rethink our build process, though. Maybe just grab the .deb of a specific version and keep that with our other compiled artifacts, instead of using a PPA. And obviously stay alert for security vulnerabilities, but update a our cached .deb along with our other compiled modules.

Revision history for this message
Greg Back (gtback) said :
#3

Thanks Manfred Hampl, that solved my question.