httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: T&R of 2.4.24
Date Fri, 09 Dec 2016 05:20:37 GMT
On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski <jim@jagunet.com> wrote:
>
>> AFAICT there is no consensus. But is this really a blocker?
>
>
> I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant
> vulnerability
> fixes (everyone seems very enamored with fuzz generators this past few
> years.)
>
> It doesn't block creation of httpd-2.4.24.tar.gz, obviously.
>
> It does raise the question again of whether the httpd project can
> distribute
> a source code package on www.apache.org/dist/httpd/ which is not voted
> on by the project, and whether it violates the spirit of the pmc consensus
> to no longer be the distributor of dependencies which frequently fall into
> a poorly maintained/updated state.
>

@VP Legal, is this worth an escalation? You didn't see fit to respond today,
but I think this falls under the purview of your committee, w.r.t.
unapproved
release artifacts living at www.apache.org/dist/. Did you have any thoughts
or opinions one way or another?

Mime
View raw message