On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski <j...@jagunet.com> wrote:
> AFAICT there is no consensus. But is this really a blocker? I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant vulnerability fixes (everyone seems very enamored with fuzz generators this past few years.) It doesn't block creation of httpd-2.4.24.tar.gz, obviously. It does raise the question again of whether the httpd project can distribute a source code package on www.apache.org/dist/httpd/ which is not voted on by the project, and whether it violates the spirit of the pmc consensus to no longer be the distributor of dependencies which frequently fall into a poorly maintained/updated state. So it's simply a question about the -deps package, and since that is never given a release vote, it really isn't holding up any tag & roll. > > On Dec 8, 2016, at 12:38 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > > On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <j...@jagunet.com> wrote: > > Things are looking good for a T&R of 2.4.24 sometime late > > today. > > > > If you have any issues or concerns, let me know asap. > > > > Do we have any consensus on dropping the stale and vulnerable > > expat or pcre packages from the pretending-not-to-be-released > > -deps artifact in the www.a.o/dist/httpd/ releases tree? > > > > > > > >