httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <c...@force-elite.com>
Subject Re: As we contemplate what to fix, and how to roll out 2.4 and 3.0
Date Tue, 02 Oct 2007 18:52:20 GMT
Jim Jagielski wrote:
> 
> On Oct 2, 2007, at 2:36 PM, Jeff Trawick wrote:
> 
>> On 10/2/07, Jim Jagielski <jim@jagunet.com> wrote:
>>>
>>> On Oct 1, 2007, at 6:52 PM, William A. Rowe, Jr. wrote:
>>>
>>>> William A. Rowe, Jr. wrote:
>>>>>
>>>>> Give that some thought :)
>>>>
>>>> One thing I'm pondering is a 2.3.0 alpha in the near future.
>>>>
>>>> If only to give the "we stay back at version n.x-1" crowd something
>>>> to chew on.
>>>>
>>>> Not to mention that it would be good for folks to start exploring
>>>> what needs to be fixed in the API, etc.
>>>>
>>>
>>> Well, we could do:
>>>
>>>    o Apache 1.3 and 2.0 deprecated
>>
>> (deprecated == no fixes after some date)
>>
>> Somebody somewhere will patch 1.3.last with security fixes for
>> newly-discovered vulnerabilities.  If nowhere visible/common, then
>> possibly 100s of individuals will be doing that for themselves.  Is
>> there really enough value in making a statement that we disagree with
>> those many servers continuing to run 1.3 to justify sending Apache
>> users somewhere else for fixes?
>>
>> (When there are fewer than 3 httpd developers willing to
>> review/approve/publish security fixes for 1.3, this is of course
>> irrelevant.)
>>
> 
> As one of the very few remaining 1.3 developers, I both want
> to not cut off 1.3 users at the knees, but nor do I want
> us to keep holding onto a codebase which is really not
> being developed anymore... I don't think it's so much
> a statement that "you need to move on" but rather "*we* (the
> ASF) have moved on" from 1.3...

So, the first step is to cut out any illusion that new features are
going into 1.3, with a statement like this:

Starting in January 2008, only critical security issues will be fixed in
Apache HTTP Server versions 1.3.x or 2.0.x.

I honestly believe we will be somewhat responsible for fixing any major
security issues in 1.3 and 2.0 for the next 5-10 years, unless Waka
suddenly explodes and replaces http :-)

Thoughts?

Mime
View raw message