Joe Orton wrote:
+1 to shipping the sources in the tarball. In principle I like the idea
of only shipping apr from a release tag, but it adds a significant
burden if there needs to be an httpd security release for an apr issue. I think we need to demonstrate that we can ship APR releases more often
than once a year first.
I don't see any reason why APR would not ship more than once a year. The big step was v0.9 to v1.0, the step to v1.0.1 or onwards is a no brainer, especially for a security release.
This is precisely dictated by APR_FIND_APR and how it's used. Not bundling the apr and apr-util sources just takes away user choice, and I don't see any justification for doing that.
APR_FIND_APR allows you to install v0.x and v1.x simultaneously and choose between the two, but it will not help if APR v1.x.bar is installed and used by subversion, while APR v1.y.foo is used by httpd.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
