> On 10 Oct 2018, at 20:28, Jim Jagielski <j...@jagunet.com> wrote: > > > >> On Oct 10, 2018, at 3:01 PM, William A Rowe Jr <wr...@rowe-clan.net >> <mailto:wr...@rowe-clan.net>> wrote: >> >> On Wed, Oct 10, 2018 at 1:45 PM Jim Jagielski <j...@jagunet.com >> <mailto:j...@jagunet.com>> wrote: >> I thought the whole intent for a quick 2.4.36 was for TLSv1.3 support. >> >> If that's not ready for prime time, then why a release?? >> >> AIUI, it isn't that httpd isn't ready for release, or even httpd-test >> framework. >> Until all the upstream CPAN modules behave reasonably with openssl 1.1.1 >> we will continue to see odd test results. > > The question is How Comfortable Are We That TLSv1.3 Support Is Production > Ready? > > This release seems very, very rushed to me. It seems strange that for someone > who balks against releasing s/w that hasn't been sufficiently tested, or > could cause regressions, and that the sole reason for this particular release > is TLSv1.3 support which seems insufficiently tested, you are > uncharacteristic cool with all this.
Does the TLSv1.3 support need to be production ready? TLSv1.3 is presumably an opt-in feature and as long as it doesn’t endanger existing behaviours, I would have assumed it’s relatively safe to release with caveats in the docs. Of course, once there’s more take-up of TLSv1.3, then the test suite needs to be useful. Getting real-world feedback about something completely new that doesn’t endanger existing behaviours outside of TLSv1.3 is probably worthwhile. - Mark