httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Apache 2.2 - Change default for SSLCompression to off
Date Wed, 12 Jun 2013 19:52:48 GMT
On Wed, 12 Jun 2013 21:27:18 +0200
Stefan Fritsch <sf@sfritsch.de> wrote:

> On Wednesday 12 June 2013, William A. Rowe Jr. wrote:
> > On Wed, 12 Jun 2013 05:41:35 -0700 (PDT)
> > 
> > In principal, we do not change defaults in a released branch.
> 
> That's not true. It doesn't happen very often but it does happen.

Which is why I used the word principal.  When it happens, it is the
(legitimately necessary) exception.

> > This was altered after 2.4.0 was released, so obviously that
> > principal was not followed.  Although there is no server
> > vulnerability addressed by this change, and although it is a flaw
> > in implementations (and far from all implementations) which that
> 
> All web *browsers* that support compression are affected. Only non-
> browser clients are not affected. Calling that "far from all" 
> stretches things a bit.

You would be wrong, please see my other note.

> > change addressed, it seems for consistency's sake that if the
> > project caused this to change in the release branch of 2.4 than it
> > should change in the release branch 2.2 as well.
> 
> I agree that it should be changed in 2.2, too. But it seems no one
> had time to do it.

I plan to tag in sync with Jim's 2.4 tag, this would be a lovely time
to adopt such a change.

> > Perhaps this time, we entertain a proper vote rather than a pair of
> > devs electing to change defaults on a whim.  Stable branches are
> > RTC for a reason.
> 
> Huh? We had three devs voting for the backport. What more do you want?

I'd like an accurate svn commit message?  Is that a bit much to ask?
Or are we expected to troll through archives on every simple inquiry?

Mime
View raw message