On 1/17/22 8:35 PM, William A Rowe Jr wrote:
>
>
> On Mon, Jan 17, 2022, 09:37 Ruediger Pluem <rpl...@apache.org
> <mailto:rpl...@apache.org>> wrote:
>
>
>
> On 1/17/22 4:05 PM, Joe Orton wrote:
> > On Sun, Jan 16, 2022 at 03:35:15PM -0600, William A Rowe Jr wrote:
> >> 4 day ago, you all saw this. 6 years ago, you all started using this
> on trunk.
> >>
> >> Don't know what I can to do help this along and honor the library
> >> author's wishes for all of us to walk away from the dead fork, and use
> >> the maintained fork. It's whatever it is, I'm out of here and removing
> >> the backport application branch, whoever 3rd upvotes this be prepared
> >> to apply this for us all, thanks.
> >
> > I'm fine with PCRE 10.x as a trunk/2.5 feature. PCRE upstream have
> > maintained 8.x better than e.g. zlib upstream have done in recent years
> > (last zlib release in 2017). So I don't find the fact it's considered
> > EOL upstream presents any particular urgency, it's still supported
> > downstream on platforms people deploy to.
> >
> > For 2.4.x I would argue it's better to keep a preference for 8.x over
> > 10.x so that users aren't switched from one to the other across an
> > upgrade - with some new performance trade-off we know about - without
> > changing the environment/configure line?
>
> Sounds sensible for Linux to keep the default to 8.x if found where people
> can expect their distribution to maintain stuff provided that the
> distribution is still maintained.
> I am not so sure for other platforms especially Windows where I guess
> that people get stuff
> more often directly from upstream.
>
>
> Sensible? Did you read the memo at pcre.org <http://pcre.org>? There will be
> no more evaluations of security risks on the
> abandoned fork and we were told this back in May 2021.
>
> Do you still have the same posture? Some of us spent the last 5 years arguing
> for httpd.next, and I resigned over it. Your call,
Unless I missed something on the link you provided this just looks like an EOL
of a version by the upstream project. Many Linux
distributions, especially the LTS ones contain such versions of various
products and promise to maintain them for the distribution
until the support for the distribution version stops. e.g. RedHat 7 still ships
openssl 1.0.2 which is not supported upstream any
longer, but still receives updates in RedHat 7 until its regular support ends
in 2024.
So my posture is still the same. But I want to thank you for making this
backport proposal for which I already voted as it brought
up to our attention that 2.4.x users which cannot / do not want to use the old
PCRE version for various reasons (e.g. no one
providing support for it, for the particular platform they use, not wanting to
use such LTS distribution provided versions, etc.)
had no choice to use the upstream supported version. Once the backport comes in
they have that possibility which is great.
Regards
Rüdiger
