Mailing List Archive: Apache: Dev

2.2.9

Index | Next | Previous | View Threaded

jim at jaguNET

Apr 30, 2008, 6:23 AM

Post #1 of 15 (309 views)
Permalink

2.2.9

With the SVN issues, I don't think a release the end of April
is going to happen *grin*

I'd like to shoot for, say, May 7th for a release... questions?
concerns?

pgollucci at p6m7g8

Apr 30, 2008, 11:50 AM

Post #2 of 15 (300 views)
Permalink

Re: 2.2.9 [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim Jagielski wrote:
| With the SVN issues, I don't think a release the end of April
| is going to happen *grin*
|
| I'd like to shoot for, say, May 7th for a release... questions?
| concerns?
+1

- --
- ------------------------------------------------------------------------
Philip M. Gollucci (philip[at]ridecharge.com)
o:703.549.2050x206
Senior System Admin - Riderway, Inc.
http://riderway.com / http://ridecharge.com
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIGL+FdbiP+9ubjBwRAgmhAJ0aqMkxz8ISXhu2NcJYaVqzaB2sJACdGzZA
c9Lt/N+taBEujjfmLpyfrBM=
=LOs2
-----END PGP SIGNATURE-----

rpluem at apache

May 1, 2008, 5:12 AM

Post #3 of 15 (298 views)
Permalink

Re: 2.2.9 [In reply to]

On 04/30/2008 03:23 PM, Jim Jagielski wrote:
> With the SVN issues, I don't think a release the end of April
> is going to happen *grin*
>
> I'd like to shoot for, say, May 7th for a release... questions?
> concerns?

Keep in mind that there is still a release showstopper that requires
a new apr-util release. So I am somewhat pessimistic about the proposed
timetable.

Regards

Rüdiger

jim at jaguNET

May 1, 2008, 8:11 AM

Post #4 of 15 (298 views)
Permalink

Re: 2.2.9 [In reply to]

On May 1, 2008, at 8:12 AM, Ruediger Pluem wrote:

>
>
> On 04/30/2008 03:23 PM, Jim Jagielski wrote:
>> With the SVN issues, I don't think a release the end of April
>> is going to happen *grin*
>> I'd like to shoot for, say, May 7th for a release... questions?
>> concerns?
>
> Keep in mind that there is still a release showstopper that requires
> a new apr-util release. So I am somewhat pessimistic about the
> proposed
> timetable.
>

:)

It's certainly aggressive and likely not to happen, but it's
something to shoot for... Now that SVN is coming back, things
will likely progress better.

jim at jaguNET

May 6, 2008, 6:50 AM

Post #5 of 15 (271 views)
Permalink

Re: 2.2.9 [In reply to]

I'm back from a few days away and offline, and like to get
the momentum for 2.2.9 back up.

2 main things:

1. There are a number of backport proposals looking
for and waiting for a 3rd +1... if you have time
to look/review/vote, that would be good.

2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
My pref would be 1.3.

ruediger.pluem at vodafone

May 6, 2008, 7:36 AM

Post #6 of 15 (271 views)
Permalink

Re: 2.2.9 [In reply to]

> -----Urspr�ngliche Nachricht-----
> Von: Jim Jagielski
> Gesendet: Dienstag, 6. Mai 2008 15:51
> An: dev[at]httpd.apache.org
> Betreff: Re: 2.2.9
>
> I'm back from a few days away and offline, and like to get
> the momentum for 2.2.9 back up.
>
> 2 main things:
>
> 1. There are a number of backport proposals looking
> for and waiting for a 3rd +1... if you have time
> to look/review/vote, that would be good.
>
> 2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
> My pref would be 1.3.

Ship with 1.3, but do not make it depend on 1.3 yet. This makes it
easy to swap in 1.2.x again if it turns out that there is something
nasty in 1.3. We can can make it dependant on 1.3 in 2.2.10 or 2.2.11
depending on our experience.

Regards

R�diger

jorge.schrauwen at gmail

May 6, 2008, 9:26 AM

Post #7 of 15 (271 views)
Permalink

Re: 2.2.9 [In reply to]

On Tue, May 6, 2008 at 4:36 PM, Pl�m, R�diger, VF-Group <
ruediger.pluem[at]vodafone.com> wrote:

>
>
> > -----Urspr�ngliche Nachricht-----
> > Von: Jim Jagielski
> > Gesendet: Dienstag, 6. Mai 2008 15:51
> > An: dev[at]httpd.apache.org
> > Betreff: Re: 2.2.9
> >
> > I'm back from a few days away and offline, and like to get
> > the momentum for 2.2.9 back up.
> >
> > 2 main things:
> >
> > 1. There are a number of backport proposals looking
> > for and waiting for a 3rd +1... if you have time
> > to look/review/vote, that would be good.
> >
> > 2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
> > My pref would be 1.3.
>
> Ship with 1.3, but do not make it depend on 1.3 yet. This makes it
> easy to swap in 1.2.x again if it turns out that there is something
> nasty in 1.3. We can can make it dependant on 1.3 in 2.2.10 or 2.2.11
> depending on our experience.
>
> Regards
>
> R�diger
>

I really like this proposal (my non counting +1 on this)

--
~Jorge

sctemme at apache

May 6, 2008, 9:33 AM

Post #8 of 15 (271 views)
Permalink

Re: 2.2.9 [In reply to]

On May 6, 2008, at 7:36 AM, Pl�m, R�diger, VF-Group wrote:

>> 2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
>> My pref would be 1.3.
>
> Ship with 1.3, but do not make it depend on 1.3 yet. This makes it
> easy to swap in 1.2.x again if it turns out that there is something
> nasty in 1.3. We can can make it dependant on 1.3 in 2.2.10 or 2.2.11
> depending on our experience.

+1

S.

--
Sander Temme
sctemme[at]apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF

Attachments:

smime.p7s (2.38 KB)

nick at webthing

May 6, 2008, 3:45 PM

Post #9 of 15 (272 views)
Permalink

Re: 2.2.9 [In reply to]

On Tue, 6 May 2008 09:50:41 -0400
Jim Jagielski <jim[at]jaguNET.com> wrote:

> 2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
> My pref would be 1.3.

-1.

The target audience for APR is tech-savvy: developers and
integrators. HTTPD has a larger and more mixed audience.
I'd say that puts on us a greater burden of care, including
crucially a proper review of changes in 1.3, before
bundling it in a release version of HTTPD.

As an example of what I'm concerned about, I'd point to
the serious security issue I recently documented in
mod_dbd (trunk version of docs). APR-UTIL 1.2 excludes
the dangerous driver; 1.3 includes it.

Can we enumerate other potentially-serious issues?

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

wrowe at rowe-clan

May 6, 2008, 3:56 PM

Post #10 of 15 (271 views)
Permalink

Re: 2.2.9 [In reply to]

Nick Kew wrote:
>
> The target audience for APR is tech-savvy: developers and
> integrators. HTTPD has a larger and more mixed audience.
> I'd say that puts on us a greater burden of care, including
> crucially a proper review of changes in 1.3, before
> bundling it in a release version of HTTPD.

I don't believe that our /not/ shipping with apr-1.3 saves anyone
any grief. If apr-1.3.x branch is flawed, it must be fixed, and
then 1.3.0 released.

Why ship on 1.2.x, only to have a subset of users deploy against
the released 1.3.0 and report errant behavior? I would much rather
know from user experience that 1.3.0 did not suit them, and why,
and direct them that they can manually configure against 1.2.x as
mentioned earlier in this thread.

> As an example of what I'm concerned about, I'd point to
> the serious security issue I recently documented in
> mod_dbd (trunk version of docs). APR-UTIL 1.2 excludes
> the dangerous driver; 1.3 includes it.
>
> Can we enumerate other potentially-serious issues?

Or more specifically, could you elaborate on the dbd changes within
apr 1.3.x that need additional review? Why is this driver not
correctly dodged?

Bill

nick at webthing

May 6, 2008, 4:20 PM

Post #11 of 15 (270 views)
Permalink

Re: 2.2.9 [In reply to]

On Tue, 2008-05-06 at 23:56, William A. Rowe, Jr. wrote:

> Or more specifically, could you elaborate on the dbd changes within
> apr 1.3.x that need additional review? Why is this driver not
> correctly dodged?
>
> Bill

If the docs are not clear to you, I think that demonstrates
the need for further review. What is unclear about
¨The underlying library doesn't support prepared statements,
so the driver emulates them, and the untrusted input is
merged into the SQL statement.¨
?

--
Nick Kew

wrowe at rowe-clan

May 6, 2008, 4:34 PM

Post #12 of 15 (270 views)
Permalink

Re: 2.2.9 [In reply to]

Nick Kew wrote:
>
> If the docs are not clear to you, I think that demonstrates
> the need for further review. What is unclear about
> ¨The underlying library doesn't support prepared statements,
> so the driver emulates them, and the untrusted input is
> merged into the SQL statement.¨

I guess my point is, why do we enable this without requiring the user
to explicitly choose this client? Caveat emptor; it shouldn't happen
without user intervention.

Bill

nikke at acc

May 7, 2008, 3:51 AM

Post #13 of 15 (252 views)
Permalink

Re: 2.2.9 [In reply to]

On Tue, 6 May 2008, Nick Kew wrote:

>> 2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
>> My pref would be 1.3.
>
> -1.

I tend to agree with NOT shipping 1.3.

My issue is mainly that the stable branch should be just that - stable
and boring. Fix bugs, add new features that doesn't conflict with
existing ones, but try the damnest to avoid changes that might mess
upp things more than needed.

If we want to be adventurous I'd prefer wrapping up what's in httpd
trunk as 2.4 and ship that with 1.3 so we have a separate bucket of
worms to fight with.

That said, we have the issue with people thinking that all major
releases will be perpetually supported and thus avoids upgrading to a
new major version. I recall this was discussed rather recently, but my
personal view is that 1.3 and 2.0 really should be in
securityfix-only-mode by now.

Looking at 2.0 and 2.2 I think that there tends to be too much that
changes in those stable releases at times, getting us in the not so
funny "every release is broken somehow" cycle...

/Nikke - opening another can of worms...
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se | nikke[at]acc.umu.se
---------------------------------------------------------------------------
"I love unicorns. What, dad? Girls are crazy about unicorns!" - Veronica
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

jim at jaguNET

May 7, 2008, 5:26 AM

Post #14 of 15 (252 views)
Permalink

Re: 2.2.9 [In reply to]

On May 7, 2008, at 6:51 AM, Niklas Edmundsson wrote:

> On Tue, 6 May 2008, Nick Kew wrote:
>
>>> 2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
>>> My pref would be 1.3.
>>
>> -1.
>
> I tend to agree with NOT shipping 1.3.
>

This goes w/o saying, but I'll do so anyway.

If 1.3.0 is not ready for prime time, then (1) we assume that
APR will not tag and release it and (2) we do not bundle httpd 2.2.9
with it. This does not mean that later versions of 2.2.x won't
ship with it.

With our httpd hat on, we do what's best for httpd, even if that
means we don't "push" APR ;)

ruediger.pluem at vodafone

May 7, 2008, 5:47 AM

Post #15 of 15 (254 views)
Permalink

Re: 2.2.9 [In reply to]

> -----Urspr�ngliche Nachricht-----
> Von: Jim Jagielski
> Gesendet: Mittwoch, 7. Mai 2008 14:26
> An: dev[at]httpd.apache.org
> Betreff: Re: 2.2.9
>
>
> On May 7, 2008, at 6:51 AM, Niklas Edmundsson wrote:
>
> > On Tue, 6 May 2008, Nick Kew wrote:
> >
> >>> 2. Consensus on whether we ship with APR 1.2.x or 1.3.x...
> >>> My pref would be 1.3.
> >>
> >> -1.
> >
> > I tend to agree with NOT shipping 1.3.
> >
>
> This goes w/o saying, but I'll do so anyway.
>
> If 1.3.0 is not ready for prime time, then (1) we assume that
> APR will not tag and release it and (2) we do not bundle httpd 2.2.9
> with it. This does not mean that later versions of 2.2.x won't
> ship with it.
>
> With our httpd hat on, we do what's best for httpd, even if that
> means we don't "push" APR ;)

Keep in mind that if we do not bundle 1.3 we need to do a new release
of 1.2.x as it contains a regression.

Regards

R�diger

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com