Merge pull request #72 from ppomes/debian/packaging

fzipi · web-flow · commit 851e522edf20 · 2026-03-19T15:04:15.000-03:00
feat: add Debian packaging
diff --git a/.gitignore b/.gitignore
@@ -34,3 +34,4 @@ _obj/
 .libs/
 Doxyfile
 .dirstamp
+vendor/
diff --git a/Makefile.am b/Makefile.am
@@ -42,7 +42,7 @@ AM_LDFLAGS = -framework CoreFoundation -framework Security -lresolv
 endif
 
 if LINUX
-AM_LDFLAGS = -fPIC -m64 -pthread -fno-common
+AM_LDFLAGS = -fPIC -pthread -fno-common
 endif
 
 tests_simple_get_LDFLAGS = $(AM_LDFLAGS)
diff --git a/debian/changelog b/debian/changelog
@@ -0,0 +1,5 @@
+libcoraza (1.1.1-1) unstable; urgency=low
+
+  * Initial Debian packaging.
+
+ -- Pierre Pomes <pierre.pomes@gmail.com>  Tue, 17 Mar 2026 12:00:00 +0100
diff --git a/debian/control b/debian/control
@@ -0,0 +1,35 @@
+Source: libcoraza
+Section: libs
+Priority: optional
+Maintainer: Pierre Pomes <pierre.pomes@gmail.com>
+Build-Depends: debhelper-compat (= 13),
+               autoconf,
+               automake,
+               libtool,
+               golang-go (>= 2:1.24~),
+               gcc,
+               make,
+               patchelf,
+               pkg-config
+Standards-Version: 4.7.0
+Homepage: https://github.com/corazawaf/libcoraza
+Rules-Requires-Root: no
+
+Package: libcoraza1
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: OWASP Coraza WAF C library - runtime
+ Coraza is an open-source Web Application Firewall engine. libcoraza
+ provides C bindings to the Coraza engine, allowing integration with
+ web servers like Nginx and Apache.
+
+Package: libcoraza-dev
+Section: libdevel
+Architecture: any
+Multi-Arch: same
+Depends: libcoraza1 (= ${binary:Version}), ${misc:Depends}
+Description: OWASP Coraza WAF C library - development files
+ Coraza is an open-source Web Application Firewall engine. This package
+ contains the header files and static library needed to build modules
+ that use libcoraza.
diff --git a/debian/copyright b/debian/copyright
@@ -0,0 +1,28 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: libcoraza
+Upstream-Contact: https://github.com/corazawaf/libcoraza/issues
+Source: https://github.com/corazawaf/libcoraza
+
+Files: *
+Copyright: 2022-2026 OWASP Coraza contributors
+License: Apache-2.0
+
+Files: debian/*
+Copyright: 2026 Pierre Pomes <pierre.pomes@gmail.com>
+License: Apache-2.0
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+     https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian systems, the complete text of the Apache License, Version 2.0
+ can be found in "/usr/share/common-licenses/Apache-2.0".
diff --git a/debian/libcoraza-dev.install b/debian/libcoraza-dev.install
@@ -0,0 +1,3 @@
+usr/include/coraza/coraza.h
+usr/lib/*/libcoraza.a
+usr/lib/*/libcoraza.so
diff --git a/debian/libcoraza1.install b/debian/libcoraza1.install
@@ -0,0 +1 @@
+usr/lib/*/libcoraza.so.*
diff --git a/debian/make-orig-tarball.sh b/debian/make-orig-tarball.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Build a vendored orig tarball for Debian packaging.
+#
+# Launchpad and other Debian build hosts have no network access, so the
+# orig tarball must ship everything needed to build offline:
+#   - autotools generated files (configure, Makefile.in, ...)
+#   - Go vendor/ directory (all Go module dependencies)
+#
+# The tarball is created from the current git HEAD, not from a GitHub
+# release download (which lacks both autotools files and vendor/).
+#
+# Output: ../libcoraza_<version>.orig.tar.gz
+#
+# Prerequisites: git, dpkg-parsechangelog, autoconf, automake, libtool, go
+#
+# Usage: debian/make-orig-tarball.sh
+#   Run from the top-level source directory (must be a git repo).
+
+set -euo pipefail
+
+VERSION=$(dpkg-parsechangelog -S Version | sed 's/-.*//')
+TARBALL="libcoraza_${VERSION}.orig.tar.gz"
+DISTNAME="libcoraza-${VERSION}"
+WORKDIR=$(mktemp -d)
+
+trap 'rm -rf "$WORKDIR"' EXIT
+
+echo "==> Exporting git tree..."
+git archive --prefix="${DISTNAME}/" HEAD | tar xf - -C "$WORKDIR"
+
+echo "==> Generating autotools files..."
+(
+    cd "$WORKDIR/${DISTNAME}"
+    echo "$VERSION" > .tarball-version
+    ./build.sh
+)
+
+echo "==> Running go mod vendor..."
+(
+    cd "$WORKDIR/${DISTNAME}"
+    go mod vendor
+)
+
+echo "==> Creating tarball..."
+tar czf "../${TARBALL}" -C "$WORKDIR" "${DISTNAME}"
+
+echo "==> Created ../${TARBALL}"
+echo "    $(tar tzf "../${TARBALL}" | grep -c vendor/) vendor entries included"
diff --git a/debian/rules b/debian/rules
@@ -0,0 +1,59 @@
+#!/usr/bin/make -f
+
+include /usr/share/dpkg/pkg-info.mk
+include /usr/share/dpkg/architecture.mk
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export GOPATH = $(CURDIR)/.gopath
+export GOCACHE = $(CURDIR)/.gocache
+export GOFLAGS = -mod=vendor
+export GOPROXY = off
+export GONOSUMCHECK = *
+export GOTOOLCHAIN = local
+
+SOMAJOR = 1
+SOVER = $(DEB_VERSION_UPSTREAM)
+MULTIARCH_LIBDIR = usr/lib/$(DEB_HOST_MULTIARCH)
+
+%:
+	dh $@
+
+override_dh_autoreconf:
+	./build.sh
+
+override_dh_auto_configure:
+	dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)
+
+override_dh_auto_build:
+	$(MAKE) all
+
+override_dh_auto_install:
+	# Install manually to decouple from the check target
+	install -d debian/tmp/$(MULTIARCH_LIBDIR)
+	install -d debian/tmp/usr/include/coraza
+	install -m 0755 libcoraza.so debian/tmp/$(MULTIARCH_LIBDIR)/
+	install -m 0644 libcoraza.a debian/tmp/$(MULTIARCH_LIBDIR)/
+	install -m 0644 coraza/coraza.h debian/tmp/usr/include/coraza/coraza.h
+	# Set SONAME and create versioned symlink chain
+	patchelf --set-soname libcoraza.so.$(SOMAJOR) debian/tmp/$(MULTIARCH_LIBDIR)/libcoraza.so
+	mv debian/tmp/$(MULTIARCH_LIBDIR)/libcoraza.so debian/tmp/$(MULTIARCH_LIBDIR)/libcoraza.so.$(SOVER)
+	ln -s libcoraza.so.$(SOVER) debian/tmp/$(MULTIARCH_LIBDIR)/libcoraza.so.$(SOMAJOR)
+	ln -s libcoraza.so.$(SOMAJOR) debian/tmp/$(MULTIARCH_LIBDIR)/libcoraza.so
+
+override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+	# Run only the C integration test; skip go test -race (not portable across archs)
+	$(MAKE) tests/simple_get
+	cd tests && ./check_result.sh simple_get
+endif
+
+override_dh_dwz:
+	# Skip dwz compression (incompatible with cgo-built shared libraries)
+
+override_dh_strip:
+	dh_strip --no-automatic-dbgsym
+
+override_dh_auto_clean:
+	[ ! -f Makefile ] || $(MAKE) distclean
+	chmod -Rf u+w .gopath .gocache 2>/dev/null || true
+	rm -rf .gopath .gocache
diff --git a/debian/source/format b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+usr/include/coraza/coraza.h`
	`2`	`+usr/lib/*/libcoraza.a`
	`3`	`+usr/lib/*/libcoraza.so`