> I may be an odd-ball that I want to manage this kind of a setup but I > think that if you can build one application, you can build more. They > happily live separated into /usr/local on RHEL7...
Can, does not necessarily imply should. From an end-user perspective, the less work I need to do for the desired outcome, the better. For each and every application I compile, I take responsibility for all related maintenance. If I just link against the distro versions of libraries, I don't incur an ongoing cost beyond applying standard distro patches. If I build an openssl library from source, I also need to stay on top of all security related patches to that library that a distro would typically manage for me. Under RHEL6, I count 52 releases of openssl-1.0.1# in the changelog. That is far from trivial, especially compared to httpd/apr/apr-util that seem to only *need* around 1-2 updates rounds per year to deal with security issues, etc. In this case, since you are already maintaining an OpenSSL port and keeping that current, I assume this sunk cost basically looks free to you from the httpd perspective? If so, I would agree that there's little benefit to NOT using your latest openssl package version in the same repo/tree, as that's going to be available to your users and similarly supported. However, the latest distro supported version available for a large number of servers is a patched 1.0.1e (RHEL6, which ships with httpd 2.2.15). Rick Houser Web Engineer > -----Original Message----- > From: Bernard Spil [mailto:br...@freebsd.org] > Sent: Monday, March 19, 2018 13:23 > To: dev@httpd.apache.org > Subject: Re: Poll: increase OpenSSL version requirement for trunk? > > EXTERNAL EMAIL > > > Naturally, there was something I saw in the archives I want to react > upon, even if not a vote... > I am also the maintainer of the OpenSSL (and LibreSSL) ports for > FreeBSD and am the author of many patches for LibreSSL, No-SSLv2, > No-SSLv3 for upstream projects. > > I was searching for the rationale to provide a version of Apache which > is newer than what you get from your Operating System. > > Obviously, there _is_ a need to have something newer than your OS, > e.g. Apache 2.4.6 on RHEL 7 is missing too many features. > When you are smart enough to be able to build your own Apache httpd, > are you not also smart enough to build all dependencies? > FWIW: I manage, to my dismay, 2 Apache front-end servers acting as > reverse proxy on RHEL7. When I ran into update problems with the > Base-OS I decided that I would just build the whole stack (from zlib > upwards) from the ground up. > If you would want mod_http2 you are in trouble on these old systems in > all cases, curl with HTTP/2 support? libnghttp2 in your repos? > > Managing multiple versions of OpenSSL is already a head-ache. For 1.1 > you need compat shims or lots of ifdefs, 1.1.1 (currently -pre2) will > only add to that... > > I may be an odd-ball that I want to manage this kind of a setup but I > think that if you can build one application, you can build more. They > happily live separated into /usr/local on RHEL7... > > Cheers, Bernard.
