On 3 May 2017 at 09:03, Issac Goldstand <mar...@beamartyr.net> wrote: > What would work, in my eyes, if people are open to it, is treating the > contents of these definitions/macros (and I'm all for the macros, just > so that interested sysadmins can see *exactly* what the settings are on > their setup) as apart from the httpd sources, and thus not subject to > the normal release cycle. To clarify, I mean the httpd tarball release > cycles specifically, not our policies for how we perform and vote on the > releases (although we'd need to come to agreement on how to allow for > quick releases in the face of security issues, so a 3 day vote followed > by release may not work). Instead, we could do something similar to the > spamassassin project does with their base rules, where we have external > tooling (or internal tooling, if it's preferred) fetch the up-to-date > definitions from an ASF mirror server on a regular basis and override > the local definitions.
FWIW, this seems like the right approach to me.