Re: [VOTE] Release httpd-2.4.48

[Christophe JAILLET]

Le 17/05/2021 à 23:36, Christophe JAILLET a écrit :

Hi, all;
    Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this 
candidate tarball as 2.4.48:

[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
*httpd-2.4.48.tar.gz
sha512: 
91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb 
*httpd-2.4.48.tar.gz


The SVN tag is '2.4.48' at r1889975.



My +1 as well,

CJ

Re: [VOTE] Release httpd-2.4.48

[Ivan Zhakov]

On Tue, 18 May 2021 at 00:37, Christophe JAILLET
 wrote:
>
> Hi, all;
> Please find below the proposed release tarball and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.48:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
Tested on Windows. I confirm that ETag regression that was present in
httpd 2.4.47 does not reproduce in httpd 2.4.48.

But if I were the one to ask, I would say that r1889793 is too large
to be released in a patch release, and should instead be included in
2.6.x.

--
Ivan Zhakov

Re: [VOTE] Release httpd-2.4.48

[Rainer Jung]

Am 17.05.2021 um 23:36 schrieb Christophe JAILLET:

Hi, all;
    Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this 
candidate tarball as 2.4.48:

[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
*httpd-2.4.48.tar.gz
sha512: 
91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb 
*httpd-2.4.48.tar.gz


The SVN tag is '2.4.48' at r1889975.


+1 to release and thanks a bunch for RM!

Summary: all OK except for

- one single crash on SLES 11 statically linked during SSL handshake.

- two crashes on Solaris with prefork MPM during shutdown. Only with 
released APR/APU not with svn heads. Tests ongoing. I think I have seen 
such before, so not a regression.


- minor nit: The following files in the tarballs contains french date 
lines probably due to exporting them from svn with your local locale:

  - ROADMAP
  - VERSIONING
  - maybe others?
  Maybe already fixed, I saw some conversation about in the future
  using a default locale in scripts.

Detailed report:

- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas

Built on

- Solaris 10 Sparc as 32 Bit Binaries
- SLES 11+12+15 (64 Bits)
- RHEL 6+7+8 (64 Bits)

For all platforms built

- with default (shared) and static modules
- with module set reallyall
- using --enable-load-all-modules
- against
  - bundled APR/APU from deps tarball
  - external APR/APU 1.7.0/1.6.1 (expat)
  - APR/APU 1.6.5/1.6.1 (expat)
  - APR/APU 1.7.x r1889104/1.7.x r1889948 (expat)
  - APR/APU 1.7.x r1889104/1.7.x r1889948 (libxml2)
  - APR/APU 1.6.x r1876940/1.6.x r1889948 (expat)

- using external libraries
  - expat 2.3.0
  - pcre 8.44
  - lua 5.4.3 (compiled with LUA_COMPAT_MODULE)
  - libxml2 2.9.12
  - libnghttp2 1.43.0
  - brotli 1.0.9
  - curl 7.76.1
  - jansson 2.13.1
  - libldap 2.4.58 (resp. 2.4.52 when using OpenSSL 0.9.8)
and
  - openssl 0.9.8zh, 1.0.2, 1.0.2u, 1.1.1, 1.1.1k, 3.0.0alpha16

- Tool chain:
- platform gcc except on Solaris
  (gcc 9.3.0 Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  - on Solaris additionally -mpcu=v9, -D_XOPEN_SOURCE,
-D_XOPEN_SOURCE_EXTENDED=1, -D__EXTENSIONS__
and -D_XPG6

All of the 884 builds succeeded.

- compiler warnings: see earlier separate mail


Tested for

- SLES 11+12 done
- SLES 15 and RHEL 6+7+8 mostly done
- Solaris 10 Sparc about 12% done
- MPMs prefork, worker, event
- default and static module builds
- log level trace8
- module set reallyall (129 modules plus 3 MPMs)
- Perl client bundle build against OpenSSL 1.1.1g plus patches, 1.1.0l, 
1.0.2u and 0.9.8zh

- OpenSSL once linked statically and once as a shared library

Every OpenSSL version in the client is tested with every OpenSSL version 
in the server.


The total number of test suite runs until now is ~8000 (more still to 
come, especially most of the Solaris ones and some of those with 
statically linked OpenSSL in combination with statically linked server 
on Linux).


Some local adjustments to tests were used:

- t/modules/buffer.t: removing huge buffer tests
  -my $bigsize = 10;
  +my $bigsize = 1;

- fixing limitrequestline overwrite which does not yet really work in 
Apache-Test/lib/Apache/TestConfig.pm

87d86
 'global LimitRequestLine setting (default is 128)',
96a96
> #   limitrequestline => 'global LimitRequestLine setting (default is 
128)',

372,373c372,373
< $vars->{limitrequestline} ||= 128;
< $vars->{limitrequestlinex2} = 2 * $vars->{limitrequestline};
---
> #$vars->{limitrequestline} ||= 128;
> #$vars->{limitrequestlinex2} = 2 * $vars->{limitrequestline};

- the temporary workaround for OpenSSL 3 when using "openssl crl -hash" 
with STDIN in Apache-Test/lib/Apache/TestSSLCA.pm is no longer 
necessary, problem fixed in OpenSSL 3.0.0alpha16



The following test failures were seen:

a A single crash in SLES 11 APU 1.6.1 APR 1.7.0 OpenSSL 1.0.2u
  build statically using event.
  Crash during ssl_io_filter_handshake calling ... CRYPTO_malloc and
  finally "glibc detected *** /path/to/bin/httpd: malloc():
  memory corruption: 0x00faafe1"
  gdb data see below.

b Two crashes on Solaris 10 Sparc,
  once APU 1.6.1 APR 1.6.5 OpenSSL 3.0.0alpha16
  and once APU 1.6.1 APR 1.7.0 OpenSSL 1.1.1k
  build dynamically both using prefork.
  Crash during shutdown when apr_pool_destroy() for the
  pchild pool calls allocator_free() (invalid node->next).
  Might be fixed in svn heads. I will check, whether the ongoing
  Solaris 

Re: [VOTE] Release httpd-2.4.48

[William A Rowe Jr]

The bandages back-ported from trunk resolved all the lua 5.4 issues... +1
from the peanut gallery for this candidate.

On Mon, May 17, 2021, 16:37 Christophe JAILLET <
christophe.jail...@wanadoo.fr> wrote:

> Hi, all;
> Please find below the proposed release tarball and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.48:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e
> *httpd-2.4.48.tar.gz
> sha512:
> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
>
> *httpd-2.4.48.tar.gz
>
> The SVN tag is '2.4.48' at r1889975.
>
> --
> Christophe JAILLET
>

Re: [VOTE] Release httpd-2.4.48

[Noel Butler]

On 20/05/2021 03:43, Christophe JAILLET wrote:

So, even if the LibreSSL built was completely broken, I wouldn't 
consider it as a showstoper.


Agreed, libressl is not used by any mainstream OS, its used by the OS 
related to forking it from openssl in openbsd, and maybe its spinoff 
(forget its name) but not used in freebsd, Redhat/fedora 
Debian/ubuntu/mint, SuSe, Slackware, Gentoo, Arch ...


When one of these guys start using it in place of openssl then perhaps 
it should be considered a problem, but I don't see that happening any 
year soon


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: [VOTE] Release httpd-2.4.48

[Giovanni Bechis]

On Wed, May 19, 2021 at 07:43:51PM +0200, Christophe JAILLET wrote:
> Le 18/05/2021 à 14:57, Giovanni Bechis a écrit :
> > On 5/18/21 1:53 PM, Joe Orton wrote:
> >> On Tue, May 18, 2021 at 01:30:25PM +0200, Ruediger Pluem wrote:
> >>>
> >>>
> >>> On 5/18/21 11:52 AM, Giovanni Bechis wrote:
>  On 5/17/21 11:36 PM, Christophe JAILLET wrote:
> > Hi, all;
> >     Please find below the proposed release tarball and signatures:
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release this 
> > candidate tarball as 2.4.48:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
> > sha256: 
> > 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
> > *httpd-2.4.48.tar.gz
> > sha512: 
> > 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
> >  *httpd-2.4.48.tar.gz
> >
> > The SVN tag is '2.4.48' at r1889975.
> >
>  -1 for me.
>  new mod_md doesn't build with LibreSSL because nor EVP_PKEY_X25519 nor 
>  EVP_PKEY_X448 are defined.
>  I have asked LibreSSL guys if they will add EVP_PKEY_* constants to 
>  evp.h.
> 
> Hi Giovanni,
> 
>  From my point of view, we do not *officially* support LibreSSL. The 
> mod_ssl doc is only about OpenSSL. I've found no reference to it, apart 
> from the many LIBRESSL_VERSION_NUMBER in the code itself.
> So, even if the LibreSSL built was completely broken, I wouldn't 
> consider it as a showstoper.
> 
> If we consider that Linking against LibreSSL is a must have, then, at 
> least we should update the doc.
> 
I have several Apache httpd + LibreSSL setups and I would like to keep them 
working
I will work to have LibreSSL compatibility as much as I can.


> >>>
> >>> Did 2.4.46 build with LibreSSL?
> >>
> > 2.4.46 and 2.4.47 builds.
> >  >> Looks like this is new in 2.4.48 but both LibreSSL users can work around
> >> this or not build mod_md, it doesn't seem like a showstopper.
> >>
> > no real showstopper for me, please remove my "-1" vote.
> > 
> 
> Let us know if you want to change your vote to something else (see [1]) 
> or if you just don't vote for this release.
> 
+1 for me then, I can backport patches where needed.


> >   
> >> Giovanni, if you care about keeping Libre support alive can you work out
> >> how to get it building in Travis?  It's daft if we are only hitting
> >> these compat issues in post-roll testing.
> >>
> > I agree and I will take a look at it.
> 
> Just great :)
> Thx.
> 
> And then, updating the doc would worth it ;-)
> 
This will be one of the first steps.

 Giovanni


> CJ
> 
> [1]: 
> https://apache.org/foundation/voting.html#expressing-votes-1-0-1-and-fractions
> 


signature.asc
Description: PGP signature

Re: [VOTE] Release httpd-2.4.48

[Christophe JAILLET]

Le 18/05/2021 à 14:57, Giovanni Bechis a écrit :

On 5/18/21 1:53 PM, Joe Orton wrote:

On Tue, May 18, 2021 at 01:30:25PM +0200, Ruediger Pluem wrote:



On 5/18/21 11:52 AM, Giovanni Bechis wrote:

On 5/17/21 11:36 PM, Christophe JAILLET wrote:

Hi, all;
    Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this candidate 
tarball as 2.4.48:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
*httpd-2.4.48.tar.gz
sha512: 
91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
 *httpd-2.4.48.tar.gz

The SVN tag is '2.4.48' at r1889975.


-1 for me.
new mod_md doesn't build with LibreSSL because nor EVP_PKEY_X25519 nor 
EVP_PKEY_X448 are defined.
I have asked LibreSSL guys if they will add EVP_PKEY_* constants to evp.h.


Hi Giovanni,

From my point of view, we do not *officially* support LibreSSL. The 
mod_ssl doc is only about OpenSSL. I've found no reference to it, apart 
from the many LIBRESSL_VERSION_NUMBER in the code itself.
So, even if the LibreSSL built was completely broken, I wouldn't 
consider it as a showstoper.


If we consider that Linking against LibreSSL is a must have, then, at 
least we should update the doc.




Did 2.4.46 build with LibreSSL?



2.4.46 and 2.4.47 builds.
 >> Looks like this is new in 2.4.48 but both LibreSSL users can work around

this or not build mod_md, it doesn't seem like a showstopper.


no real showstopper for me, please remove my "-1" vote.



Let us know if you want to change your vote to something else (see [1]) 
or if you just don't vote for this release.


  

Giovanni, if you care about keeping Libre support alive can you work out
how to get it building in Travis?  It's daft if we are only hitting
these compat issues in post-roll testing.


I agree and I will take a look at it.


Just great :)
Thx.

And then, updating the doc would worth it ;-)

CJ

[1]: 
https://apache.org/foundation/voting.html#expressing-votes-1-0-1-and-fractions

Re: [VOTE] Release httpd-2.4.48

[Steffen]

Good evening Christophe,

+1 for Windows

Cheers, Steffen 

> Op 17 mei 2021 om 23:37 heeft Christophe JAILLET 
>  het volgende geschreven:
> 
> Hi, all;
>   Please find below the proposed release tarball and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release this candidate 
> tarball as 2.4.48:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
> *httpd-2.4.48.tar.gz
> sha512: 
> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
>  *httpd-2.4.48.tar.gz
> 
> The SVN tag is '2.4.48' at r1889975.
> 
> -- 
> Christophe JAILLET

Re: [VOTE] Release httpd-2.4.48

[Noel Butler]

On 18/05/2021 21:50, Joe Orton wrote:


On Mon, May 17, 2021 at 11:36:29PM +0200, Christophe JAILLET wrote:


Hi, all;
Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this 
candidate

tarball as 2.4.48:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
sha256: 
315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e

*httpd-2.4.48.tar.gz
sha512: 
91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb

*httpd-2.4.48.tar.gz


+1 for release, builds and passes test suite on RHEL8.  Thanks for 
RMing

again.

Regards, Joe


All good on slackware 14.0 14.2 and 15.0beta running 48 hours

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: [VOTE] Release httpd-2.4.48

[Daniel Ferradal]

Hello,

I tested in RHEL 6.10 and Centos 7.9
along with manually compiled:
openssl-1.1.1k
expat-2.2.10
apr-1.7.0
apr-util-1.6.1
pcre-8.44
nghttp2-1.43.0 (and to compile this , compiled Python-3.9.5)
bonus: tested loading weblogic plugin too (WebLogic Server Plugin
version 12.2.1.4.0 )

Results: no issues.


+1 for me.

El lun, 17 may 2021 a las 23:37, Christophe JAILLET
() escribió:
>
> Hi, all;
> Please find below the proposed release tarball and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.48:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e
> *httpd-2.4.48.tar.gz
> sha512:
> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
> *httpd-2.4.48.tar.gz
>
> The SVN tag is '2.4.48' at r1889975.
>
> --
> Christophe JAILLET



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

Re: [VOTE] Release httpd-2.4.48

[jean-frederic clere]

On 17/05/2021 23:36, Christophe JAILLET wrote:

[X] +1: It's not just good, it's good enough!


Tests are OK on fedora 34.

Note that we miss the back port of 
https://github.com/apache/httpd/pull/186 for GCC11 for the 
--enable-maintainer-mode


--
Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.48

[Yann Ylavic]

[X] +1: It's not just good, it's good enough!

All good on my Debian(s).

Thanks a bunch again Christophe !

Re: [VOTE] Release httpd-2.4.48

[Cory McIntire]

Hello All,

+1: It's not just good, it's good enough!

CentOS6, CentOS7, and CentOS8 builds and passes test suite for us.


Thanks,
Cory McIntire
PO – cPanel Security Team
Release Manager – EasyApache
cPanel, L.L.C.



From: Christophe JAILLET 
Date: Monday, May 17, 2021 at 4:37 PM
To: dev@httpd.apache.org 
Subject: [VOTE] Release httpd-2.4.48
Hi, all;
Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this
candidate tarball as 2.4.48:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e
*httpd-2.4.48.tar.gz
sha512:
91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
*httpd-2.4.48.tar.gz

The SVN tag is '2.4.48' at r1889975.

--
Christophe JAILLET

Re: [VOTE] Release httpd-2.4.48

[Giovanni Bechis]

On 5/18/21 1:53 PM, Joe Orton wrote:
> On Tue, May 18, 2021 at 01:30:25PM +0200, Ruediger Pluem wrote:
>>
>>
>> On 5/18/21 11:52 AM, Giovanni Bechis wrote:
>>> On 5/17/21 11:36 PM, Christophe JAILLET wrote:
 Hi, all;
    Please find below the proposed release tarball and signatures:
 https://dist.apache.org/repos/dist/dev/httpd/

 I would like to call a VOTE over the next few days to release this 
 candidate tarball as 2.4.48:
 [ ] +1: It's not just good, it's good enough!
 [ ] +0: Let's have a talk.
 [ ] -1: There's trouble in paradise. Here's what's wrong.

 The computed digests of the tarball up for vote are:
 sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
 sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
 *httpd-2.4.48.tar.gz
 sha512: 
 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
  *httpd-2.4.48.tar.gz

 The SVN tag is '2.4.48' at r1889975.

>>> -1 for me.
>>> new mod_md doesn't build with LibreSSL because nor EVP_PKEY_X25519 nor 
>>> EVP_PKEY_X448 are defined.
>>> I have asked LibreSSL guys if they will add EVP_PKEY_* constants to evp.h.
>>
>> Did 2.4.46 build with LibreSSL?
> 
2.4.46 and 2.4.47 builds.

> Looks like this is new in 2.4.48 but both LibreSSL users can work around 
> this or not build mod_md, it doesn't seem like a showstopper.
>
no real showstopper for me, please remove my "-1" vote.

 
> Giovanni, if you care about keeping Libre support alive can you work out 
> how to get it building in Travis?  It's daft if we are only hitting 
> these compat issues in post-roll testing.
> 
I agree and I will take a look at it.


> Regards, Joe
> 




OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Release httpd-2.4.48

[Joe Orton]

On Tue, May 18, 2021 at 01:30:25PM +0200, Ruediger Pluem wrote:
> 
> 
> On 5/18/21 11:52 AM, Giovanni Bechis wrote:
> > On 5/17/21 11:36 PM, Christophe JAILLET wrote:
> >> Hi, all;
> >>    Please find below the proposed release tarball and signatures:
> >> https://dist.apache.org/repos/dist/dev/httpd/
> >>
> >> I would like to call a VOTE over the next few days to release this 
> >> candidate tarball as 2.4.48:
> >> [ ] +1: It's not just good, it's good enough!
> >> [ ] +0: Let's have a talk.
> >> [ ] -1: There's trouble in paradise. Here's what's wrong.
> >>
> >> The computed digests of the tarball up for vote are:
> >> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
> >> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
> >> *httpd-2.4.48.tar.gz
> >> sha512: 
> >> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
> >>  *httpd-2.4.48.tar.gz
> >>
> >> The SVN tag is '2.4.48' at r1889975.
> >>
> > -1 for me.
> > new mod_md doesn't build with LibreSSL because nor EVP_PKEY_X25519 nor 
> > EVP_PKEY_X448 are defined.
> > I have asked LibreSSL guys if they will add EVP_PKEY_* constants to evp.h.
> 
> Did 2.4.46 build with LibreSSL?

Looks like this is new in 2.4.48 but both LibreSSL users can work around 
this or not build mod_md, it doesn't seem like a showstopper.

Giovanni, if you care about keeping Libre support alive can you work out 
how to get it building in Travis?  It's daft if we are only hitting 
these compat issues in post-roll testing.

Regards, Joe

Re: [VOTE] Release httpd-2.4.48

[Joe Orton]

On Mon, May 17, 2021 at 11:36:29PM +0200, Christophe JAILLET wrote:
> Hi, all;
>Please find below the proposed release tarball and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release this candidate
> tarball as 2.4.48:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e
> *httpd-2.4.48.tar.gz
> sha512: 
> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
> *httpd-2.4.48.tar.gz

+1 for release, builds and passes test suite on RHEL8.  Thanks for RMing 
again.

Regards, Joe

Re: [VOTE] Release httpd-2.4.48

[Ruediger Pluem]

On 5/18/21 11:52 AM, Giovanni Bechis wrote:
> On 5/17/21 11:36 PM, Christophe JAILLET wrote:
>> Hi, all;
>>    Please find below the proposed release tarball and signatures:
>> https://dist.apache.org/repos/dist/dev/httpd/
>>
>> I would like to call a VOTE over the next few days to release this candidate 
>> tarball as 2.4.48:
>> [ ] +1: It's not just good, it's good enough!
>> [ ] +0: Let's have a talk.
>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>
>> The computed digests of the tarball up for vote are:
>> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
>> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
>> *httpd-2.4.48.tar.gz
>> sha512: 
>> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
>>  *httpd-2.4.48.tar.gz
>>
>> The SVN tag is '2.4.48' at r1889975.
>>
> -1 for me.
> new mod_md doesn't build with LibreSSL because nor EVP_PKEY_X25519 nor 
> EVP_PKEY_X448 are defined.
> I have asked LibreSSL guys if they will add EVP_PKEY_* constants to evp.h.

Did 2.4.46 build with LibreSSL?

Regards

Rüdiger

Re: [VOTE] Release httpd-2.4.48

[Stefan Eissing]

> Am 18.05.2021 um 11:52 schrieb Giovanni Bechis :
> 
> On 5/17/21 11:36 PM, Christophe JAILLET wrote:
>> Hi, all;
>>Please find below the proposed release tarball and signatures:
>> https://dist.apache.org/repos/dist/dev/httpd/
>> 
>> I would like to call a VOTE over the next few days to release this candidate 
>> tarball as 2.4.48:
>> [ ] +1: It's not just good, it's good enough!
>> [ ] +0: Let's have a talk.
>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>> 
>> The computed digests of the tarball up for vote are:
>> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
>> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
>> *httpd-2.4.48.tar.gz
>> sha512: 
>> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
>>  *httpd-2.4.48.tar.gz
>> 
>> The SVN tag is '2.4.48' at r1889975.
>> 
> -1 for me.
> new mod_md doesn't build with LibreSSL because nor EVP_PKEY_X25519 nor 
> EVP_PKEY_X448 are defined.
> I have asked LibreSSL guys if they will add EVP_PKEY_* constants to evp.h.

Meh, this ballsy libressl version definition, how many people have slits their 
wrists on that already?

Thanks for the patch. I will bring that in to trunk and 2.4.x and github.

Stefan

> Giovanni
> 
> The following patch is a workaround:
> 
> Index: modules/md/md_crypt.c
> --- modules/md/md_crypt.c.orig
> +++ modules/md/md_crypt.c
> @@ -71,6 +71,11 @@
> #include 
> #endif
> 
> +#if defined(LIBRESSL_VERSION_NUMBER)
> +#define EVP_PKEY_X25519 NID_X25519
> +#define EVP_PKEY_X448 NID_X448
> +#endif
> +
> static int initialized;
> 
> struct md_pkey_t {

Re: [VOTE] Release httpd-2.4.48

[Giovanni Bechis]

On 5/17/21 11:36 PM, Christophe JAILLET wrote:
> Hi, all;
>    Please find below the proposed release tarball and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release this candidate 
> tarball as 2.4.48:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha1: b581bcfdd939fe77c3821f7ad3863c7307374919 *httpd-2.4.48.tar.gz
> sha256: 315c0bc50206b866fb17c2cdc28c1973765a8d59ca168b80286e8cb077d0510e 
> *httpd-2.4.48.tar.gz
> sha512: 
> 91980f757fc0dede8c6cbf54ed973f82a63098aa50d0fce15fe3537687b4ffbb48ed50cdb4ae14eb4a8703450f032daf73f4f3d5e2dd0f75721948e12a9c6dfb
>  *httpd-2.4.48.tar.gz
> 
> The SVN tag is '2.4.48' at r1889975.
> 
-1 for me.
new mod_md doesn't build with LibreSSL because nor EVP_PKEY_X25519 nor 
EVP_PKEY_X448 are defined.
I have asked LibreSSL guys if they will add EVP_PKEY_* constants to evp.h.

 Giovanni

The following patch is a workaround:

Index: modules/md/md_crypt.c
--- modules/md/md_crypt.c.orig
+++ modules/md/md_crypt.c
@@ -71,6 +71,11 @@
 #include 
 #endif
 
+#if defined(LIBRESSL_VERSION_NUMBER)
+#define EVP_PKEY_X25519 NID_X25519
+#define EVP_PKEY_X448 NID_X448
+#endif
+
 static int initialized;
 
 struct md_pkey_t {



OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Release httpd-2.4.48

[Jan Ehrhardt]

Christophe JAILLET in gmane.comp.apache.devel (Mon, 17 May 2021 23:36:29
+0200):
>https://dist.apache.org/repos/dist/dev/httpd/
>
>I would like to call a VOTE over the next few days to release this 
>candidate tarball as 2.4.48:
>[x] +1: It's not just good, it's good enough!

I tested the substantial changes in mod_md with
- Windows VC9  x86
- Windows VC15 x64
New certificates were generated as expected.
-- 
Jan