httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Re: [PRERELEASE TARBALLS] httpd-2.3.8
Date Tue, 24 Aug 2010 22:29:57 GMT
On Tue, Aug 24, 2010 at 3:04 PM, Guenter Knauf <fuankg@apache.org> wrote:
> Hi all,
> Am 24.08.2010 18:42, schrieb Jim Jagielski:
>>
>> The pre-release test tarballs for httpd-2.3.8 (alpha) are
>> available for download, test and fun:
>>
>>        http://httpd.apache.org/dev/dist/
>>
>> Will call for a release vote in a coupla days...
>
> I know that this topic was already up here, but nevertheless I think we
> should re-think about including PCRE again.
> Other than openssl or zlib PCRE is a mandatory dependency like APR/APU, and
> I see no benefit in dropping it from our dependencies deliveries other than
> making tarballs smaller, and that is nowadays certainly not an issue
> anymore.
> We want Apache to build form source on at many platforms as possible - sure
> the main target is Linux / Unix, but we have a couple of other platforms
> where PCRE is not installed by default, that are at least Win32, NetWare,
> most likely OS/2, and probably a couple of others too.
> I tried to build 2.3.7 already for NetWare and Win32, and while NetWare went
> fine only because I have an (self) adapted makefile (from previous times
> when we shipped PCRE), the Win32 stuff is horrible: there comes some
> suggestion up that I should build PCRE with CMake with xxx option; 1st I
> have to download CMake and depend on another build tool (ok, not that big
> issue), but whats even more worse is that the CMake build failed for me, and
> thats really bad - you cant just go and build httpd as you do on Linux, no!
> Your build process is always interupted, and probably as in my case finally
> broken at all.
> Hey, friends, we do much better with 2.2.x where we ship PCRE: we have our
> own makefile, and the build goes through in one go without need for other
> tools like CMake - just the compiler and probably a platform PDK are enough
> (and thats how it shoud be).
> Therefore I want to start a vote here again where we vote for including PCRE
> again with the dependencies - just as we (now) do with APR/APU;
> and everyone who votes against should give some good reasons what speaks
> against -- the fact that every Linux comes with PCRE is certainly no good
> reason - it only leads finally to the fact that we might end up with 50
> builds of httpd 2.after-2.x with different PCE versions which makes then
> nice bug hunting, and we cant even tell someone who faces a prob to 'use our
> shipping PCRE which is known to be good'.
>
> Here we go:
>
> [ ] YES - include recent PCRE again with dependencies (means we
>    create a PCRE repo in svn, check in a recent version, and add
>    platform-dependent makefiles which are fully integrated into
>    main build process).
>
> [ ] NO - dont include PCRE (as currently) because of reason: ...
>
 [X] NO:

There are 3-5 PCRE releases per year[1], and as a project our history
of staying up to date (including security and just bug fixes) was
generally pretty bad.  Bundling our own PCRE is a security risk best
managed by operating system vendors who take care of backporting
patches to 4 year old versions, as an upstream I see very little value
in maintaining PCRE in tree, and plenty of risks.

It seems to enable porting on other platforms, we could make a shell
script that downloaded PCRE and any other dependencies like it
(OpenSSL?), but I don't believe this has a place in the main
distribution tarball.

Thanks,

Paul
[1] - http://www.pcre.org/news.txt

Mime
View raw message