httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Apache 2.2 - Change default for SSLCompression to off
Date Wed, 12 Jun 2013 19:27:18 GMT
On Wednesday 12 June 2013, William A. Rowe Jr. wrote:
> On Wed, 12 Jun 2013 05:41:35 -0700 (PDT)
> 
> Petr Sumbera <petr.sumbera@oracle.com> wrote:
> > Hi guys,
> > 
> > shouldn't Apache 2.2 contain the same change which went for 2.4?
> > 
> > http://svn.apache.org/viewvc?view=revision&revision=1400962
> 
> In principal, we do not change defaults in a released branch.

That's not true. It doesn't happen very often but it does happen.

> This was altered after 2.4.0 was released, so obviously that
> principal was not followed.  Although there is no server
> vulnerability addressed by this change, and although it is a flaw
> in implementations (and far from all implementations) which that

All web *browsers* that support compression are affected. Only non-
browser clients are not affected. Calling that "far from all" 
stretches things a bit.

> change addressed, it seems for consistency's sake that if the
> project caused this to change in the release branch of 2.4 than it
> should change in the release branch 2.2 as well.

I agree that it should be changed in 2.2, too. But it seems no one had 
time to do it.

> Perhaps this time, we entertain a proper vote rather than a pair of
> devs electing to change defaults on a whim.  Stable branches are
> RTC for a reason.

Huh? We had three devs voting for the backport. What more do you want?

Mime
View raw message