httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: security patches and releases (was [VOTE] Release Apache httpd 2.4.0)
Date Tue, 17 Jan 2012 17:31:11 GMT
On 1/17/2012 10:26 AM, Graham Leggett wrote:
> 
> Take our opening site page at http://httpd.apache.org/, no mention of patches at all.
Zoom in a little to the download page at http://httpd.apache.org/download.cgi#apache23, and
still no mention of the patches directory. If our end users aren't alerted to the fact these
patches exist, you can hardly expect our committers to.

I was curious too, so here's what I found across the whole site;

https://www.google.com/search?q="dist%2Fhttpd%2Fpatches"+site%3Ahttpd.apache.org&filter=0

Clearly, awareness of this area has steadily decreased.  Since our
docs team are partners in maintaining the site, these references have
obviously been deleted over time.  We all need to be aware of the same
publishing mechanism, and this one has fallen apart.

So it's a good time to work out what the right strategy is, seeing as
there is overwhelming support for 'somehow' publishing patches.

I'd suggest that patches/apply_to_x.y.z/ is a clumsy notation.  It seems
more efficient to set these up as patches/CVE-yyyy-iiii/ with individual
files for actively (or semi-actively) maintained versions.  If there is
one patch which applies to 2.2.n < 2.2.17, and a second patch for 2.2.17
and higher, it would be easier to differentiate these all within one
directory.

This suggestion precludes publishing 'other' patches.  Is there still a
role for 3rd party contrib or other unreleased patches that individuals
homes on people.a.o doesn't fulfill?


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message