httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: As we contemplate what to fix, and how to roll out 2.4 and 3.0
Date Tue, 02 Oct 2007 19:06:07 GMT

On 10/02/2007 08:52 PM, Paul Querna wrote:
> Jim Jagielski wrote:
>> On Oct 2, 2007, at 2:36 PM, Jeff Trawick wrote:
>>> On 10/2/07, Jim Jagielski <> wrote:
>>>> On Oct 1, 2007, at 6:52 PM, William A. Rowe, Jr. wrote:
>>>>> William A. Rowe, Jr. wrote:
>>>>>> Give that some thought :)
>>>>> One thing I'm pondering is a 2.3.0 alpha in the near future.
>>>>> If only to give the "we stay back at version n.x-1" crowd something
>>>>> to chew on.
>>>>> Not to mention that it would be good for folks to start exploring
>>>>> what needs to be fixed in the API, etc.
>>>> Well, we could do:
>>>>    o Apache 1.3 and 2.0 deprecated
>>> (deprecated == no fixes after some date)
>>> Somebody somewhere will patch 1.3.last with security fixes for
>>> newly-discovered vulnerabilities.  If nowhere visible/common, then
>>> possibly 100s of individuals will be doing that for themselves.  Is
>>> there really enough value in making a statement that we disagree with
>>> those many servers continuing to run 1.3 to justify sending Apache
>>> users somewhere else for fixes?
>>> (When there are fewer than 3 httpd developers willing to
>>> review/approve/publish security fixes for 1.3, this is of course
>>> irrelevant.)
>> As one of the very few remaining 1.3 developers, I both want
>> to not cut off 1.3 users at the knees, but nor do I want
>> us to keep holding onto a codebase which is really not
>> being developed anymore... I don't think it's so much
>> a statement that "you need to move on" but rather "*we* (the
>> ASF) have moved on" from 1.3...
> So, the first step is to cut out any illusion that new features are
> going into 1.3, with a statement like this:
> Starting in January 2008, only critical security issues will be fixed in
> Apache HTTP Server versions 1.3.x or 2.0.x.

I think for 1.3. we are already in this state although we did not announce it.
A while ago many of the 1.3 bugs were closed and we said that we do not fix
it any longer for 1.3.
So January 2008 looks fine for me regarding 1.3.x.
As this step is more surprising for 2.0.x to the users I would propose to
announce January 2009 for 2.0.x as the date for security fixes only.
This gives people who *want* and *need* our bugfixing support more time to
Furthermore we have far more 2.0.x developers still active than 1.3.x developers
and so I think we can afford this.

> I honestly believe we will be somewhat responsible for fixing any major
> security issues in 1.3 and 2.0 for the next 5-10 years, unless Waka
> suddenly explodes and replaces http :-)




View raw message