Re: [Discuss] Rolling a 'final' 2.2.33 release
On Wed, Jun 14, 2017 at 4:12 PM, William A Rowe Jrwrote: > >Please note that Apache Web Server Project will only provide maintenance >releases of the 2.2.x flavor through June of 2017, and will provide some >security patches beyond this date through at least December of 2017. >Minimal maintenance patches of 2.2.x are expected throughout this period, >and users are strongly encouraged to promptly complete their transitions >to the the 2.4.x flavor of httpd to benefit from a much larger assortment >of minor security and bug fixes as well as new features. Just FYI, we've just about reached the 50% inflection point I anticipated, it likely happens around the end of July; https://w3techs.com/technologies/history_details/ws-apache/2 Now this might suggest that continuing to release 2.2 is important, but that would be a misunderstanding of what "apache 2.2" means; https://w3techs.com/technologies/details/ws-apache/2.2/all As the list illustrates, 5 months later, only 2.5% of the 2.2 sites (~0.6% or so of the total apache sites) had updated to 2.2.32 released in Jan. Given the text above, this shouldn't come as a surprise, since users likely adopted 2.4 rather than updating to another 2.2 release. The majority of these 2.2 sites simply won't be updating their version of httpd 2.2 again until their entire site is redeployed to a new server. You can contrast this to the behavior of 2.4 administrators; https://w3techs.com/technologies/details/ws-apache/2.4/all Here, over 25% of 2.4 sites adopted 2.4.25 during the same time period. Publishing security patches will help different vendors coordinate the patches used to correct legacy releases they support, but will likely not have a great impact on the typical httpd user, directly. We are facing diminishing odds of users installing a 2.2 maintenance release or patch from sources.
Re: [VOTE] Release Apache httpd 2.4.26 as GA
On Tue, Jun 13, 2017 at 7:33 PM, Jim Jagielskiwrote: > > I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA. > [X] +1: Good to go Tested on Debian(s) 7, 8 and 9. All tests passed (but usual TODOs in "t/modules/session.t" for Debian 7 and 8). PGP signatures, SHA* and MD5 OK. Note, this new warning with gcc 4.7.2, 4.9.2 and 6.3.0: util.c: In function ‘ap_parse_form_data’: util.c:2667:10: warning: ‘escaped_char[0]’ may be used uninitialized in this function [-Wmaybe-uninitialized] char escaped_char[2]; ^~~~ Looks very much like a spurious warning, but it's also hard for the compiler to figure out. Thanks for releasing, Jim.
[Discuss] Rolling a 'final' 2.2.33 release
Per to our discussion last year, this EOL is here. That discussion resulted in the following Announcement statement; We consider the Apache HTTP Server 2.4 release to be the best version of Apache available, and encourage users of 2.2 and all prior versions to upgrade. This 2.2 maintenance release is offered for those unable to upgrade at this time. Please note that Apache Web Server Project will only provide maintenance releases of the 2.2.x flavor through June of 2017, and will provide some security patches beyond this date through at least December of 2017. Minimal maintenance patches of 2.2.x are expected throughout this period, and users are strongly encouraged to promptly complete their transitions to the the 2.4.x flavor of httpd to benefit from a much larger assortment of minor security and bug fixes as well as new features. If we incorporate apr[-util] 1.6, that would remove expat from this final 2.2 release. If we do this, we need to backport various build logic charges, backporting those changes for all build schemas. I believe Windows and Netware have unified expat builds, and the httpd-level solution files would need to be regenerated to consume externally built expat (as apr-util already does); going that far, it likely makes sense to incorporate externally build pcre. The alternative I prefer is to roll with the final apr[-util] 1.5 releases as the 2.2.32 tarball had, and include the same warning as given in the 2.2 release announcement; This release includes the Apache Portable Runtime (APR) version 1.5.2 and APR Utility Library (APR-util) version 1.5.4, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR version 1.5 and APR-util version 1.5 represent minor version upgrades from earlier httpd 2.2 source distributions. Note this package also includes very stale and known-vulnerable versions of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/] packages. Users are strongly encouraged to first install the most recent versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.) Thoughts/comments? Patches to hold for before we roll? If I don't hear otherwise, and we stick to the simpler alternative, then I'd plan to roll these candidates Thursday.
Re: svn commit: r20021 - /dev/httpd/
Thanks! Fixed. > On Jun 13, 2017, at 2:12 PM, Jim Riggswrote: > > I don't know that it really matters, but this guy is in there twice (in each > CHANGES doc), once with the PR # and once without: > >> + *) mod_proxy: Allow the per-request environment variable "no-proxy" to >> + be used as an alternative to ProxyPass /path !. This is primarily >> + to set exceptions for ProxyPass specified in context. >> +Use SetEnvIf, not SetEnv. [Eric Covener] > > >> + *) mod_proxy: Allow the per-request environment variable "no-proxy" to >> + be used as an alternative to ProxyPass /path !. This is primarily >> + to set exceptions for ProxyPass specified in context. >> + Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener] >> + >
Re: [VOTE] Release Apache httpd 2.4.26 as GA
On 6/13/2017 10:33 AM, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd version 2.4.26 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. +1 on Windows
Re: [VOTE] Release Apache httpd 2.4.26 as GA
Am 13.06.2017 um 19:33 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd version 2.4.26 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience looks good so far with apr 1.5 on Fedora 25 because somebody should fix https://www.apache.org/dist/apr/ and when you look closer you see 1.6.x below APR 1.5.2 is the latest available version APR-util 1.5.4 is the latest available version APR-iconv 1.2.1 is the latest available version APR 0.9.20 is also available APR-util 0.9.19 is also available APR-iconv 0.9.7 is also available
Re: [VOTE] Release Apache httpd 2.4.26 as GA
On 14/06/2017 03:33, Jim Jagielski wrote: > The pre-release test tarballs for Apache httpd > version 2.4.26 can be found at the usual place: > > http://httpd.apache.org/dev/dist/ > > I'm calling a VOTE on releasing these as Apache httpd 2.4.26 GA. > > [ ] +1: Good to go > [ ] +0: meh > [ ] -1: Danger Will Robinson. And why. > > Vote will last the normal 72 hrs. > > NOTE: The *-deps are only there for convenience. > > Thx! +1 Slackware with included apr 1.6.2 and apr-util 1.6.0 -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature