On 05/30/2007 07:56 AM, William A. Rowe, Jr. wrote:
> I'd like to see new tarballs rolled soonish, given the single significant
> bug that was disclosed earlier today.
>
> Obviously most mass-vhosters are capable of compiling their own binary,
> so providing the seperate-pid-table patch (whoever gets around to writing
> one) resolves any immediate urgency.
>
> But people get skittish when they see httpd anywhere near vulnerability,
> so I'll roll apr 0.9/1.2 in 36 hours which means midday Sunday it's likely
> to be released and ready to drop into 2.0 / 2.2.
Given the fact that we wanted to do this about 4 weeks ago anyway +1 on rolling.
But we should wait for a seperate-pid-table patch, because releasing now with
the "security" statement out and no patch for at least the one that we regard
as somewhat sensitive seems to have the potential of confusing people even more
than not releasing. ("They release a new version without a fix for this security
hole. WTF?").
>
> 1.3 could be rolled/released whenever it's been patched, but I'd personally
> rather see *one* announcement, again, like we did about a year back, so we
> don't have silly people scrambling to install 1.3 in place of 2.2 :)
+1
Regards
RĂ¼diger
