Nick Kew wrote:
The target audience for APR is tech-savvy: developers and integrators. HTTPD has a larger and more mixed audience. I'd say that puts on us a greater burden of care, including crucially a proper review of changes in 1.3, before bundling it in a release version of HTTPD.
I don't believe that our /not/ shipping with apr-1.3 saves anyone any grief. If apr-1.3.x branch is flawed, it must be fixed, and then 1.3.0 released. Why ship on 1.2.x, only to have a subset of users deploy against the released 1.3.0 and report errant behavior? I would much rather know from user experience that 1.3.0 did not suit them, and why, and direct them that they can manually configure against 1.2.x as mentioned earlier in this thread.
As an example of what I'm concerned about, I'd point to the serious security issue I recently documented in mod_dbd (trunk version of docs). APR-UTIL 1.2 excludes the dangerous driver; 1.3 includes it. Can we enumerate other potentially-serious issues?
Or more specifically, could you elaborate on the dbd changes within apr 1.3.x that need additional review? Why is this driver not correctly dodged? Bill
