httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: T&R of 2.4.24
Date Fri, 23 Dec 2016 07:32:28 GMT
On Fri, Dec 9, 2016 at 8:03 AM, Jim Jagielski <jim@jagunet.com> wrote:

>
> > On Dec 9, 2016, at 12:20 AM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
> >
> > On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
> >
> > @VP Legal, is this worth an escalation? You didn't see fit to respond
> today,
> > but I think this falls under the purview of your committee, w.r.t.
> unapproved
> > release artifacts living at www.apache.org/dist/. Did you have any
> thoughts
> > or opinions one way or another?
>
> How is this different from, say, the win32 src zips or the
> complimentary binary builds?


That's an interesting question, or questions...

For starters, source aren't binaries, but of course you knew that, as our
esteemed VP, Legal.

When ASF projects convey binaries, they convey them (purportedly) based
on the current jars/wars of the dependencies (are there other dependent
projects? SVN doesn't ship binaries, and I have no clue what OpenOffice
does. Other non-java examples are few and far between.)

These are fetched up fresh from maven or whatnot, and don't have a lot of
bearing on how non-java projects do things. AIUI, those jars don't even
supplant what is already provisioned, if those are more current, unless
the manifest demands an old rev.

The prior win32 src (before I committed that to branch, not trunk, and
didn't worry our silly heads about crlf after I wrote the apr fix script)
didn't include extra artifacts, unless you count apr-iconv. And I have
deep reservations about that call, if you've seen my comments about
what citrus might bring us and lack of maintaining that BSD iconv fork.

Thanks for the redaction on the 2.4.25-deps artifact. Frankly, I would
not have helped you push that out the door without that one concession.
And mad props to JChapmion for pushing the announce, since I didn't
have ASF smtp at the ready. So as always, it was an effort of many.

Fundamental issue with pushing -deps of, say, APR 1.5.2, is that the
following week is that 1.5.3 with bug fixes is released. Is the httpd
project responsible for updating -deps? Or f' ya all, download this
package... it won't hurt you... hopefully? Believe me, I went through
all that as an httpd win32 binary distributor who bundled openssl,
so I know this specific pain-point, and sense of responsibility, and
did have to ship new interim binaries when bad things were disclosed.

I hope you sort this out in your ombudsman role, because this is the
test of whether you understand ASF responsibilities, both legally,
and in the sense of our entire ecosystem, and the will of your specific
project who had a very firm position, before you undermined it.

Cheers, and a Merry Christmas!

Bill

Mime
View raw message