httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: T&R of 2.4.24
Date Fri, 09 Dec 2016 05:20:37 GMT
On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <>

> On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski <> wrote:
>> AFAICT there is no consensus. But is this really a blocker?
> I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant
> vulnerability
> fixes (everyone seems very enamored with fuzz generators this past few
> years.)
> It doesn't block creation of httpd-2.4.24.tar.gz, obviously.
> It does raise the question again of whether the httpd project can
> distribute
> a source code package on which is not voted
> on by the project, and whether it violates the spirit of the pmc consensus
> to no longer be the distributor of dependencies which frequently fall into
> a poorly maintained/updated state.

@VP Legal, is this worth an escalation? You didn't see fit to respond today,
but I think this falls under the purview of your committee, w.r.t.
release artifacts living at Did you have any thoughts
or opinions one way or another?

View raw message