httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [VOTE] Release 2.3.10 tarballs as Alpha
Date Tue, 21 Dec 2010 18:09:20 GMT
On 12/21/2010 9:34 AM, Jim Jagielski wrote:
> 
> On Dec 21, 2010, at 9:19 AM, Jim Jagielski wrote:
> 
>>
>> On Dec 20, 2010, at 6:43 PM, William A. Rowe Jr. wrote:
>>
>>> On 12/16/2010 6:51 AM, Jim Jagielski wrote:
>>>> The Apache httpd 2.3.10-alpha test tarballs are available at:
>>>>
>>>> 	http://httpd.apache.org/dev/dist/
>>>>
>>>> Please vote on whether to release as 2.3.10-alpha.
>>>
>>> -1 on httpd-2.3.10-deps.  pcre is missing, although apr, apr-util and
>>> even expat are there.
>>
>> Is that a regression?
> 
> Maybe I'm just not seeing it, but I can't find pcre in the
> 2.3.6 nor the 2.3.8 deps either...

Irrelevant, you stated this is the final alpha, last chance to fix the
packaging to the alignment of beta.

But I'm reviewing the vote, I really don't know where we got to last
time this was discussed, it went in circles a few times, I don't see
the [Vote][Result]

When I posted the first message below, pgollucci and nikke concured,
pquerna and sctemme appeared to disagree with bundling it.  Michael was
especially confused by the missing pcre (AIX).

In 2.3.8 non-vote discussion thread, guenter raised this again.  pquerna
was extremely opposed to bundling it (2nd attach below), I agreed for the
converse reason that I expressed in the prior discussion.  sctemme had some
ambiguous middle ground which seemed quite sane.

So the more that I think about it, there are vulnerable pcre's floating
around, which end up being httpd vulnerabilities, and by distributing the
freshest pcre 8.1 (whatever remains binary compatible) as we continue to
also ship apr makes sense.  I'm in favor of making things easy on our
users, keeping httpd more secure, but not forcing any particular distro
of pcre on the users and let them default to their OS provided flavor.

We want -alpha, -beta adoption, provide a package called -deps, and don't
ship our manitory deps; that seems stupid.

For the reasons pquerna so elegantly expressed, it's also stupid to ship
apr-util and apr, when those vulnerabilities also roll down on httpd, and
users think they are blocked on a particular httpd (or httpd-deps) package.

So my vote on -deps becomes -0, and I will no longer vote on it at all
since the inclusion and discussion of -deps is intellectually inconsistent.
It won't be used anyways for packaging httpd binaries since I'd simply pick
up the current apr/apr-util/openssl/zlib/pcre anyways.  I don't see a reason
to rely on a package of half of the -deps.  It doesn't hurt or harm me, but
adoption is a concern.

I'm +1 on eliminating -deps altogether, but don't believe that such a
proposal has popular support.

Mime
View raw message