Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-14 Thread William A Rowe Jr 
On Wed, Jun 14, 2017 at 4:12 PM, William A Rowe Jr  wrote:
>
>Please note that Apache Web Server Project will only provide maintenance
>releases of the 2.2.x flavor through June of 2017, and will provide some
>security patches beyond this date through at least December of 2017.
>Minimal maintenance patches of 2.2.x are expected throughout this period,
>and users are strongly encouraged to promptly complete their transitions
>to the the 2.4.x flavor of httpd to benefit from a much larger assortment
>of minor security and bug fixes as well as new features.

Just FYI, we've just about reached the 50% inflection point
I anticipated, it likely happens around the end of July;

https://w3techs.com/technologies/history_details/ws-apache/2

Now this might suggest that continuing to release 2.2 is important,
but that would be a misunderstanding of what "apache 2.2" means;

https://w3techs.com/technologies/details/ws-apache/2.2/all

As the list illustrates, 5 months later, only 2.5% of the 2.2 sites (~0.6%
or so of the total apache sites) had updated to 2.2.32 released in Jan.

Given the text above, this shouldn't come as a surprise, since users
likely adopted 2.4 rather than updating to another 2.2 release.

The majority of these 2.2 sites simply won't be updating their version
of httpd 2.2 again until their entire site is redeployed to a new server.
You can contrast this to the behavior of 2.4 administrators;

https://w3techs.com/technologies/details/ws-apache/2.4/all

Here, over 25% of 2.4 sites adopted 2.4.25 during the same time period.

Publishing security patches will help different vendors coordinate the
patches used to correct legacy releases they support, but will likely
not have a great impact on the typical httpd user, directly. We are
facing diminishing odds of users installing a 2.2 maintenance release
or patch from sources.

Re: [VOTE] Release Apache httpd 2.4.26 as GA

2017-06-14 Thread Yann Ylavic 
On Tue, Jun 13, 2017 at 7:33 PM, Jim Jagielski  wrote:
>
> I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA.
>
[X] +1: Good to go

Tested on Debian(s) 7, 8 and 9.
All tests passed (but usual TODOs in "t/modules/session.t" for Debian 7 and 8).
PGP signatures, SHA* and MD5 OK.

Note, this new warning with gcc 4.7.2, 4.9.2 and 6.3.0:
util.c: In function ‘ap_parse_form_data’:
util.c:2667:10: warning: ‘escaped_char[0]’ may be used uninitialized
in this function [-Wmaybe-uninitialized]
 char escaped_char[2];
  ^~~~
Looks very much like a spurious warning, but it's also hard for the
compiler to figure out.


Thanks for releasing, Jim.

[Discuss] Rolling a 'final' 2.2.33 release

2017-06-14 Thread William A Rowe Jr 
Per to our discussion last year, this EOL is here. That discussion
resulted in the following Announcement statement;

   We consider the Apache HTTP Server 2.4 release to be the best version
   of Apache available, and encourage users of 2.2 and all prior versions
   to upgrade. This 2.2 maintenance release is offered for those unable
   to upgrade at this time.

   Please note that Apache Web Server Project will only provide maintenance
   releases of the 2.2.x flavor through June of 2017, and will provide some
   security patches beyond this date through at least December of 2017.
   Minimal maintenance patches of 2.2.x are expected throughout this period,
   and users are strongly encouraged to promptly complete their transitions
   to the the 2.4.x flavor of httpd to benefit from a much larger assortment
   of minor security and bug fixes as well as new features.

If we incorporate apr[-util] 1.6, that would remove expat from this
final 2.2 release. If we do this, we need to backport various build
logic charges, backporting those changes for all build schemas.
I believe Windows and Netware have unified expat builds, and
the httpd-level solution files would need to be regenerated to
consume externally built expat (as apr-util already does); going
that far, it likely makes sense to incorporate externally build pcre.

The alternative I prefer is to roll with the final apr[-util] 1.5 releases
as the 2.2.32 tarball had, and include the same warning as given
in the 2.2 release announcement;

   This release includes the Apache Portable Runtime (APR) version 1.5.2
   and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
   and zip distributions. The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.
   APR version 1.5 and APR-util version 1.5 represent minor version upgrades
   from earlier httpd 2.2 source distributions.

   Note this package also includes very stale and known-vulnerable versions
   of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/]
   packages. Users are strongly encouraged to first install the most recent
   versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)

Thoughts/comments? Patches to hold for before we roll? If I don't hear
otherwise, and we stick to the simpler alternative, then I'd plan to roll
these candidates Thursday.

Re: svn commit: r20021 - /dev/httpd/

2017-06-14 Thread Jim Jagielski 
Thanks! Fixed.
> On Jun 13, 2017, at 2:12 PM, Jim Riggs  wrote:
> 
> I don't know that it really matters, but this guy is in there twice (in each 
> CHANGES doc), once with the PR # and once without:
> 
>> +  *) mod_proxy: Allow the per-request environment variable "no-proxy" to
>> + be used as an alternative to ProxyPass /path !. This is primarily
>> + to set exceptions for ProxyPass specified in  context.
>> +Use SetEnvIf, not SetEnv. [Eric Covener]
> 
> 
>> +  *) mod_proxy: Allow the per-request environment variable "no-proxy" to
>> + be used as an alternative to ProxyPass /path !. This is primarily
>> + to set exceptions for ProxyPass specified in  context.
>> + Use SetEnvIf, not SetEnv. PR 60458.  [Eric Covener]
>> +
>

Re: [VOTE] Release Apache httpd 2.4.26 as GA

2017-06-14 Thread Gregg Smith 

On 6/13/2017 10:33 AM, Jim Jagielski wrote:

The pre-release test tarballs for Apache httpd
version 2.4.26 can be found at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA.

[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.


+1 on Windows

Re: [VOTE] Release Apache httpd 2.4.26 as GA

2017-06-14 Thread Reindl Harald 



Am 13.06.2017 um 19:33 schrieb Jim Jagielski:

The pre-release test tarballs for Apache httpd
version 2.4.26 can be found at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA.

[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.

Vote will last the normal 72 hrs.

NOTE: The *-deps are only there for convenience


looks good so far with apr 1.5 on Fedora 25 because somebody should fix 
https://www.apache.org/dist/apr/ and when you look closer you see 1.6.x 
below


APR 1.5.2 is the latest available version
APR-util 1.5.4 is the latest available version
APR-iconv 1.2.1 is the latest available version
APR 0.9.20 is also available
APR-util 0.9.19 is also available
APR-iconv 0.9.7 is also available

Re: [VOTE] Release Apache httpd 2.4.26 as GA

2017-06-14 Thread Noel Butler 
On 14/06/2017 03:33, Jim Jagielski wrote:

> The pre-release test tarballs for Apache httpd
> version 2.4.26 can be found at the usual place:
> 
> http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience.
> 
> Thx!

+1 Slackware with included apr 1.6.2 and apr-util 1.6.0

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature