httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Distributing httpd-2.2, redux
Date Fri, 30 Sep 2005 21:09:53 GMT
Justin Erenkrantz wrote:
> 
> (I would be against distributing anything beyond our 'bare' minimums - 
> so no zlib or OpenSSL.)

I'll agree on the openssl count, although we really are only supporting
later 0.9.6/0.9.7 and focusing on 0.9.8.

But given how lightweight zlib is, and how much of a moving target it
was before 1.2.3, I'd strongly argue that 'deflate' is a core feature,
that if we teach httpd to 'reinflate' there are many old vulnerabilites
that we expose our users to, and that shipping 1.2.3 would add very
little pain for much mod_deflate gain.

> My only comment about unbundling pcre is that we're *very* particular 
> about the pcre version.

Then we should scream loudly if they don't grab the -bundle package that
their system pcre is quite crufty and can't be used?

Mime
View raw message