httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: 2.2.9
Date Tue, 06 May 2008 22:56:22 GMT
Nick Kew wrote:
> The target audience for APR is tech-savvy: developers and
> integrators.  HTTPD has a larger and more mixed audience.
> I'd say that puts on us a greater burden of care, including
> crucially a proper review of changes in 1.3, before
> bundling it in a release version of HTTPD.

I don't believe that our /not/ shipping with apr-1.3 saves anyone
any grief.  If apr-1.3.x branch is flawed, it must be fixed, and
then 1.3.0 released.

Why ship on 1.2.x, only to have a subset of users deploy against
the released 1.3.0 and report errant behavior?  I would much rather
know from user experience that 1.3.0 did not suit them, and why,
and direct them that they can manually configure against 1.2.x as
mentioned earlier in this thread.

> As an example of what I'm concerned about, I'd point to
> the serious security issue I recently documented in
> mod_dbd (trunk version of docs).  APR-UTIL 1.2 excludes
> the dangerous driver; 1.3 includes it.
> Can we enumerate other potentially-serious issues?

Or more specifically, could you elaborate on the dbd changes within
apr 1.3.x that need additional review?   Why is this driver not
correctly dodged?


View raw message