Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 64C4693E2 for ; Tue, 17 Jan 2012 20:04:05 +0000 (UTC) Received: (qmail 89087 invoked by uid 500); 17 Jan 2012 20:04:04 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 88822 invoked by uid 500); 17 Jan 2012 20:04:03 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 88814 invoked by uid 99); 17 Jan 2012 20:04:03 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2012 20:04:03 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [72.167.82.89] (HELO p3plsmtpa01-09.prod.phx3.secureserver.net) (72.167.82.89) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 17 Jan 2012 20:03:55 +0000 Received: (qmail 22839 invoked from network); 17 Jan 2012 20:03:32 -0000 Received: from unknown (76.252.112.72) by p3plsmtpa01-09.prod.phx3.secureserver.net (72.167.82.89) with ESMTP; 17 Jan 2012 20:03:30 -0000 Message-ID: <4F15D40E.1070200@rowe-clan.net> Date: Tue, 17 Jan 2012 14:03:26 -0600 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: dev@httpd.apache.org CC: Eric Covener Subject: Re: security patches and releases (was [VOTE] Release Apache httpd 2.4.0) References: <4F14FF5C.9090101@rowe-clan.net> <4F15008E.5050805@rowe-clan.net> <5C41D092-DE8E-4D9D-843C-FA91F85A74FD@jaguNET.com> <4F159A0C.9070200@rowe-clan.net> <4F15B05F.6070508@rowe-clan.net> <4F15D2D5.3070304@rowe-clan.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 1/17/2012 2:01 PM, Eric Covener wrote: > On Tue, Jan 17, 2012 at 2:58 PM, William A. Rowe Jr. > wrote: >> On 1/17/2012 1:56 PM, Eric Covener wrote: >>>> I'd suggest that patches/apply_to_x.y.z/ is a clumsy notation. It seems >>>> more efficient to set these up as patches/CVE-yyyy-iiii/ with individual >>>> files for actively (or semi-actively) maintained versions. If there is >>>> one patch which applies to 2.2.n < 2.2.17, and a second patch for 2.2.17 >>>> and higher, it would be easier to differentiate these all within one >>>> directory. >>> >>> The current scheme has one benefit in that a responsible user on the >>> latest release has a one-stop shop for "What do I need to add?". >>> >>> With the CVE as the directory, they'd have to start with some other >>> resource/hint or browse through the descriptions/patches. >> >> I'm not sure about that. If I have 2.2.18, what do I apply? If there >> were patches in .21 how do I know they apply to me? >> > > Cross your fingers and visit three directories full of patches -- the > farther back you stay, the more work you've got in store for you. > > I don't think you're in much better shape tracking down e.g. 7 CVEs though. Actually, I think you are (now). http://httpd.apache.org/security/vulnerabilities_22.html