Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 69168 invoked from network); 30 Sep 2005 21:11:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 30 Sep 2005 21:11:20 -0000 Received: (qmail 67213 invoked by uid 500); 30 Sep 2005 21:11:15 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 67148 invoked by uid 500); 30 Sep 2005 21:11:15 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 67135 invoked by uid 99); 30 Sep 2005 21:11:15 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Sep 2005 14:11:15 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [69.225.174.131] (HELO x.win.covalent.net) (69.225.174.131) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Sep 2005 14:11:19 -0700 Received: from [192.168.0.21] ([24.13.128.132]) by x.win.covalent.net over TLS secured channel with Microsoft SMTPSVC(5.0.2195.6713); Fri, 30 Sep 2005 14:09:23 -0700 Message-ID: <433DA9A1.1040903@rowe-clan.net> Date: Fri, 30 Sep 2005 16:09:53 -0500 From: "William A. Rowe, Jr." User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc3 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Distributing httpd-2.2, redux References: <433D8766.8050002@rowe-clan.net> <1C6421F90B049D9096AFF416@st-augustin.ics.uci.edu> In-Reply-To: <1C6421F90B049D9096AFF416@st-augustin.ics.uci.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 30 Sep 2005 21:09:23.0609 (UTC) FILETIME=[3B8AF090:01C5C603] X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Justin Erenkrantz wrote: > > (I would be against distributing anything beyond our 'bare' minimums - > so no zlib or OpenSSL.) I'll agree on the openssl count, although we really are only supporting later 0.9.6/0.9.7 and focusing on 0.9.8. But given how lightweight zlib is, and how much of a moving target it was before 1.2.3, I'd strongly argue that 'deflate' is a core feature, that if we teach httpd to 'reinflate' there are many old vulnerabilites that we expose our users to, and that shipping 1.2.3 would add very little pain for much mod_deflate gain. > My only comment about unbundling pcre is that we're *very* particular > about the pcre version. Then we should scream loudly if they don't grab the -bundle package that their system pcre is quite crufty and can't be used?