Received: by taz.hyperreal.com (8.8.3/V2.0) id HAA18394;
 Tue, 7 Jan 1997 07:44:19 -0800 (PST)
Received: from Master by taz.hyperreal.com (8.8.3/V2.0) with SMTP id HAA18384;
 Tue, 7 Jan 1997 07:44:14 -0800 (PST)
Date: Tue, 7 Jan 1997 10:26:15 -0500
Message-Id: <97010710261565@decus.org>
From: coar@decus.org (Rodent of Unusual Size)
To: new-httpd@hyperreal.com, Coar@topaz.decus.org
Subject: Re: snprintf()
X-VMS-To: SMTP%"new-httpd@hyperreal.com"
X-VMS-Cc: COAR
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

>From the fingers of Rob Hartill flowed the following:
>
>I'd prefer we release 1.2 sooner rather than later and as something that
>resembles 1.2b1.

    Is the snprintf() issue a bug fix, or a new feature?  If a bug fix
    touches enough code, does it *become* a feature?

    Personally, I agree with Rob on closing 1.2 with no more features
    than have been added to date (fewer would be nice ;-).  I've always
    felt a bit uncomfortable with stuff to any software added during a
    beta cycle.  On the other hand, since it's unclear to me when the
    next release beyond 1.2 will hit the wire, I'd like to see the
    buffer overrun potential removed from 1.2 before final release.  I
    think that's too big a vulnerability in a high-quality server as
    widely deployed as Apache.  If we don't close it now, there probably
    *will* be a 1.2.1..

>If we put in a snprintf before 1.2, I'd be amazed if it turned out to
>be the last big change.

    Is there a lower-impact way of closing the hole that would suit you
    for 1.2, Rob?  Should it be left open for now and closed as part of
    2.0?

>Let's get 1.2 out and start on 2.0. If we've got some big patches ready
>for 2.0 then it starts its -dev life with some momentum.

    +1, although I suspect 1.3 might need to be opened in parallel if
    2.0's latency is too great.

    Just MHO..

    #ken    :-)}