In catching up with building 2.2.23 and getting somewhere with 2.4.3 (soon to be .24 and .4 from today's email notes), I'm left with one quandary.
The 2.2 builds all used OpenSSL 0.9.8 and that's where I would leave it, while 2.4 builds aught to use 1.0.1. That, and libxml2 and lua are the packages we don't bundle. But for the expat and pcre dependencies, the versions we shipped in 2.2.23 and 2.4.3-deps sources are falling out of date. And I doubt a bundle of 2.4.4-deps is going to be updated either. For a binary package here at the ASF, when it comes to a third party dependency, I would suggest we ignore the out of date bundled source, and always package what the other OSS project has most recently released, as long as the release remained binary forward compatible to our prior packages. This impacts Windows and Netware along with any other binaries people wanted to build (aix, solaris or whatever). In most of those cases I'd expect the 'httpd' package would be devoid of the dependencies and just rely on the most commonly accepted library bundle. I think it is that way in most of the deb/rpm/apt packaging repositories. Comments or thoughts?
