On Jan 31, 2012, at 12:50 PM, William A. Rowe Jr. wrote: > On 1/31/2012 11:30 AM, Jim Jagielski wrote: >> Just to be clear, the current thinking is that we do not bundle >> apr/apu at all with 2.4.x... either as a sep tarball (the -deps), >> nor simply slapped in there (ala 2.2.x)... >> >> I wonder if the issue is that we call that tarball httpd...-deps. I >> wonder if people would think differently if we named it httpd...-aprlibs >> or something like that, which makes it clear that we're providing apr/apu >> simply as a Nice Thing for our end users, but not as a *dependency*, >> which carries a different connotation ... > > No. It is a dependency. It is not convenient, unless the HTTP Server > RM's are all committed to repackaging all of the -deps every time the > APR project introduces a security fix or significant bug fix. > > Providing the wrong packages for any given point in time is not > a convenience, it is a disservice. >
The release is a snapshot of time. All we are saying if we bundle apr/apu (in whatever fashion) is that at the time we are releasing httpd, here are the additional ASF packages (apr/apu) that we're providing to you, the end user, for your convenience. We are free to call that package whatever the heck we want. There's really no reason to make this more difficult than it is... I am sure that when we make windows builds, it is quite possible that we are "bundling" things in there which, by your argument, implies forcing the windows builder here to rebuild it to capture updates. I for one don't care whether we do or not, but I think that it's a topic for discussion; other may think it's a nice thing to do. And if the concern against it is something that is easily fixed, then that is also a good thing to know.
