On Tue, Aug 24, 2010 at 3:04 PM, Guenter Knauf <[email protected]> wrote: > Hi all, > Am 24.08.2010 18:42, schrieb Jim Jagielski: >> >> The pre-release test tarballs for httpd-2.3.8 (alpha) are >> available for download, test and fun: >> >> http://httpd.apache.org/dev/dist/ >> >> Will call for a release vote in a coupla days... > > I know that this topic was already up here, but nevertheless I think we > should re-think about including PCRE again. > Other than openssl or zlib PCRE is a mandatory dependency like APR/APU, and > I see no benefit in dropping it from our dependencies deliveries other than > making tarballs smaller, and that is nowadays certainly not an issue > anymore. > We want Apache to build form source on at many platforms as possible - sure > the main target is Linux / Unix, but we have a couple of other platforms > where PCRE is not installed by default, that are at least Win32, NetWare, > most likely OS/2, and probably a couple of others too. > I tried to build 2.3.7 already for NetWare and Win32, and while NetWare went > fine only because I have an (self) adapted makefile (from previous times > when we shipped PCRE), the Win32 stuff is horrible: there comes some > suggestion up that I should build PCRE with CMake with xxx option; 1st I > have to download CMake and depend on another build tool (ok, not that big > issue), but whats even more worse is that the CMake build failed for me, and > thats really bad - you cant just go and build httpd as you do on Linux, no! > Your build process is always interupted, and probably as in my case finally > broken at all. > Hey, friends, we do much better with 2.2.x where we ship PCRE: we have our > own makefile, and the build goes through in one go without need for other > tools like CMake - just the compiler and probably a platform PDK are enough > (and thats how it shoud be). > Therefore I want to start a vote here again where we vote for including PCRE > again with the dependencies - just as we (now) do with APR/APU; > and everyone who votes against should give some good reasons what speaks > against -- the fact that every Linux comes with PCRE is certainly no good > reason - it only leads finally to the fact that we might end up with 50 > builds of httpd 2.after-2.x with different PCE versions which makes then > nice bug hunting, and we cant even tell someone who faces a prob to 'use our > shipping PCRE which is known to be good'. > > Here we go: > > [ ] YES - include recent PCRE again with dependencies (means we > create a PCRE repo in svn, check in a recent version, and add > platform-dependent makefiles which are fully integrated into > main build process). > > [ ] NO - dont include PCRE (as currently) because of reason: ... > [X] NO:
There are 3-5 PCRE releases per year[1], and as a project our history of staying up to date (including security and just bug fixes) was generally pretty bad. Bundling our own PCRE is a security risk best managed by operating system vendors who take care of backporting patches to 4 year old versions, as an upstream I see very little value in maintaining PCRE in tree, and plenty of risks. It seems to enable porting on other platforms, we could make a shell script that downloaded PCRE and any other dependencies like it (OpenSSL?), but I don't believe this has a place in the main distribution tarball. Thanks, Paul [1] - http://www.pcre.org/news.txt
