On Mon, 2017-04-17 at 14:01 +0200, Rainer Jung wrote: Thanks for the comments.
> my test results: most important is failure to compile on Solaris 8 and a > hang during make test on Solaris 10, as well as your key seeming to be > revoked. See below. > > 1) Formal observations > ====================== > > - MD5 and SHA1 missing Indeed. Do you think those should be encouraged, as they don't actually give any more security than a simple checksum? > - zip archives not named "win32-src.zip" as previously > - CHANGES-APR-1.6 and CHANGES-APR-UTIL-1.6 missing > - HEADER.html and README.html missing > - Announcement1.6.txt and Announcement1.6.html missing AFAICS those don't feature in the tarballs? I looked at the 1.5.latest of APR/APU and I don't see them. > - Key B87F79A9 missing from KEYS file Good point. Since ASF now auto-generates per-project keys files daily, why maintain a separate KEYS file? > - Key B87F79A9 is listed as "revoked: 2016-08-16" in key server I saw that key after uploading the tarballs! That key has a wrong creation date and wrong fingerprint: it's an imposter who created a clash (I recollect discussing that, though I only just found out that a fake with my name on it was "out there")! My real key is in http://people.apache.org/keys/group/apr.asc and http://people.apache.org/keys/committer/ (along with my old 1024-bit key, which I can also use if this is creating confusion). > - ".svn" directory included, that's unusual > - STATUS file included, that's unusual It's a fair cop, guv! > - Unix build files configure, *.spec, build-outputs.mk, build/*.sh, > build/l*.m4 (libtool m4 files) and the copies of the apr build/*.m4 > in apu are included in zip (that's new, but IMHO OK) Ah, right. Yep, that's probably not such a good idea. Do we in fact still need those in the Unix tarballs? Are there platforms out there with the toolchain for configure/make but not for buildconf? > - no more bundled expat: we need to note that in the release notes Agreed, that was certainly on the agenda for the announcement. > 2) Compile and run > ================== > > a) New apr configure options > b) Changes in apr-util configure options Useful for release notes :) > c) Failure to compile apr on Solaris 8 > -------------------------------------- Damn. That looks like a showstopper for release. But shouldn't be too hard, since you've tracked down the cause. > which indeed doesn't look like a good lvalue. Indeedie. > d) Hang during APR make check on Solaris 10 (testprocmutex) > ----------------------------------------------------------- > > pthread_mutex_timedlock() hangs when the > current thread already has > locked the mutex. Hmmm, OK. We knew the timedlock stuff had potential to blow up. I guess that points back to the plan of making it a config option. I'm out this evening, but will hopefully find time tomorrow to revisit these problems. And I need to do some more digging around that bogus PGP key! -- Nick Kew
