Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Rainer Jung]

Thanks!

Am 03.04.24 um 21:13 schrieb Eric Covener:

On Wed, Apr 3, 2024 at 3:03 PM Eric Covener  wrote:


On Wed, Apr 3, 2024 at 2:54 PM Rainer Jung  wrote:


Minor nit: the format of the SHA hash files has changes. Example:

2.4.58:

fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5
*httpd-2.4.58.tar.bz2

2.4.59:

SHA2-256(httpd-2.4.59-rc1.tar.bz2)=
ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323


fixed and repaired the ones on dist/dev

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Eric Covener]

On Wed, Apr 3, 2024 at 3:03 PM Eric Covener  wrote:
>
> On Wed, Apr 3, 2024 at 2:54 PM Rainer Jung  wrote:
> >
> > Minor nit: the format of the SHA hash files has changes. Example:
> >
> > 2.4.58:
> >
> > fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5
> > *httpd-2.4.58.tar.bz2
> >
> > 2.4.59:
> >
> > SHA2-256(httpd-2.4.59-rc1.tar.bz2)=
> > ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323

fixed and repaired the ones on dist/dev

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Eric Covener]

On Wed, Apr 3, 2024 at 2:54 PM Rainer Jung  wrote:
>
> Minor nit: the format of the SHA hash files has changes. Example:
>
> 2.4.58:
>
> fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5
> *httpd-2.4.58.tar.bz2
>
> 2.4.59:
>
> SHA2-256(httpd-2.4.59-rc1.tar.bz2)=
> ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323

It looks like the release tools are trying to strip that but maybe no
longer matching?
https://svn.apache.org/repos/asf/httpd/dev-tools/release/common-lib.sh

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Rainer Jung]

Minor nit: the format of the SHA hash files has changes. Example:

2.4.58:

fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5 
*httpd-2.4.58.tar.bz2


2.4.59:

SHA2-256(httpd-2.4.59-rc1.tar.bz2)= 
ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323


I need to see how to check scripted with commandline tools.

Am 03.04.24 um 14:26 schrieb Eric Covener:

Hi all,

(After only minor embarrassment of patching tags/2.4.55 instead of 2.4.x...)

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a SHORTENED VOTE to release
this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
= e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f
= 
baa96a7c9bba48f758ca9b3e3d63f0c65db960653618109d4d7bcbf3d4776d1d51453beb65e5af57655f0b1cfb88913842bc3a117fe7acc754ddb43d4524bc82

The SVN candidate source is found at tags/2.4.59-rc1-candidate.

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Graham Leggett via dev]

On 03 Apr 2024, at 13:26, Eric Covener  wrote:

> [ ] +1: It's not just good, it's good enough!

+1 on RHEL9.

Regards,
Graham
--

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Cory McIntire]

+1

CentOS 6
CentOS 7
AlmaLinux 8
AlmaLinux 9
Ubuntu 20
Ubuntu 22

Thanks for RM’n.

Regards,
Cory McIntire | Release Manager
cory.mcint...@webpros.com | cPanel – a 
webpros company



From: Eric Covener 
Date: Wednesday, April 3, 2024 at 07:26
To: Apache HTTP Server Development List 
Subject: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59
Hi all,

I would like to call a SHORTENED VOTE to release
this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

Community over Code EU 2024: Start planning your trip!

[Ryan Skraba]

[Note: You're receiving this email because you are subscribed to one
or more project dev@ mailing lists at the Apache Software Foundation.]

Dear community,

We hope you are doing great, are you ready for Community Over Code EU?
Check out the featured sessions, get your tickets with special
discounts and start planning your trip.

Save your spot! Take a look at our lineup of sessions, panelists and
featured speakers and make your final choice:

* EU policies and regulations affecting open source specialists working in OSPOs

The panel will discuss how EU legislation affects the daily work of
open source operations. Panelists will cover some recent policy
updates, the challenges of staying compliant when managing open source
contribution and usage within organizations, and their personal
experiences in adapting to the changing European regulatory
environment.

* Doing for sustainability, what open source did for software

In this keynote Asim Hussain will explain the history of Impact
Framework, a coalition of hundreds of software practitioners with
tangible solutions that directly foster meaningful change by measuring
the environmental impacts of a piece of software.

Don’t forget that we have special discounts for groups, students and
Apache committers. Visit the website to discover more about these
rates.[1]

It's time for you to start planning your trip. Remember that we have
prepared a “How to get there” guide that will be helpful to find out
the best transportation, either train, bus, flight or boat to
Bratislava from wherever you are coming from. Take a look at the
different options and please reach out to us if you have any
questions.

We have available rooms -with a special rate- at the Radisson Blu
Carlton Hotel, where the event will take place and at the Park Inn
Hotel which is only 5 minutes walking from the venue. [2] However, you
are free to choose any other accommodation options around the city.

See you in Bratislava,
Community Over Code EU Team

[1]: https://eu.communityovercode.org/tickets/ "Register"
[2]: https://eu.communityovercode.org/venue/ "Where to stay"

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Yann Ylavic]

On Wed, Apr 3, 2024 at 2:26 PM Eric Covener  wrote:
>
> I would like to call a SHORTENED VOTE to release
> this candidate tarball httpd-2.4.59-rc1 as 2.4.59:

[X] +1: It's not just good, it's good enough!

All good from my testing on debian(s).

Thanks Eric!

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[jean-frederic clere]

On 4/3/24 14:26, Eric Covener wrote:

[X] +1: It's not just good, it's good enough!


Build and tested in fedora 39 and windows server 2019 (VS17 2022 Cmake).

--
Cheers

Jean-Frederic

Re: mod_systemd: refactor to get rid of libsystemd dependency?

[Graham Leggett via dev]

On 02 Apr 2024, at 11:25, Rainer Jung  wrote:

> in the light of the recent xz attack I was wondering, whether we should also 
> reduce our library dependencies by no longer using sd_notify() in mod_systemd 
> (thus loading libsystemd and all of its dependencies), but instead taking the 
> approach to hard code sd_notify functionality.
> 
> I guess the Linux distributors who patched sshd to use libsystemd for 
> notification are on their way to do the same for their sshd patches, so we 
> might soon get an idea how to do that properly.
> 
> This is not meant to become part of out next release (this week), but 
> hopefully we can manage to code it for the next one.
> 
> WDYT: does this make sense?

Definite +1.

The attack surface on systemd has always been too big, now is the time to fix 
that.

Regards,
Graham
--

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[giovanni]

On 4/3/24 14:26, Eric Covener wrote:

Hi all,

(After only minor embarrassment of patching tags/2.4.55 instead of 2.4.x...)

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a SHORTENED VOTE to release
this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
+1

tested on OpenBSD 7.5 (LibreSSL 3.9.0) and Fedora39

Thanks for RMing
 Giovanni


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: mod_systemd: refactor to get rid of libsystemd dependency?

[Joe Orton]

On Tue, Apr 02, 2024 at 12:25:40PM +0200, Rainer Jung wrote:
> Hi there,
> 
> in the light of the recent xz attack I was wondering, whether we should also
> reduce our library dependencies by no longer using sd_notify() in
> mod_systemd (thus loading libsystemd and all of its dependencies), but
> instead taking the approach to hard code sd_notify functionality.
> 
> I guess the Linux distributors who patched sshd to use libsystemd for
> notification are on their way to do the same for their sshd patches, so we
> might soon get an idea how to do that properly.
> 
> This is not meant to become part of out next release (this week), but
> hopefully we can manage to code it for the next one.
> 
> WDYT: does this make sense?

The trunk mod_systemd has got slightly wider library use than just 
sd_notify - so it is not quite that simple. If there was an alternative 
minimal library implementing the sd_* API parts required, that would 
definitely make sense. I'm not sure that reimplementing them all from 
scratch makes sense (especially multiplied by N projects doing this).

It looks like systemd folks have also changed the library implementation 
to dlopen() the various dependant libraries on demand now rather than 
directly linking to them, which removes the specific attack vector used 
here IIUC.

Regards, Joe

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Frank Gingras]

On Wed, Apr 3, 2024 at 9:16 AM Stefan Eissing via dev 
wrote:

>
>
> > Am 03.04.2024 um 14:26 schrieb Eric Covener :
> >
> > Hi all,
> >
> > (After only minor embarrassment of patching tags/2.4.55 instead of
> 2.4.x...)
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a SHORTENED VOTE to release
> > this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > = e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f
> > =
> baa96a7c9bba48f758ca9b3e3d63f0c65db960653618109d4d7bcbf3d4776d1d51453beb65e5af57655f0b1cfb88913842bc3a117fe7acc754ddb43d4524bc82
> >
> > The SVN candidate source is found at tags/2.4.59-rc1-candidate.
>
> +1 (macOS, 23.4.0, x86_64)
>
> Thanks,
> Stefan


+1 here, no problem on Slackware64.

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Joe Orton]

On Wed, Apr 03, 2024 at 08:26:09AM -0400, Eric Covener wrote:
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a SHORTENED VOTE to release
> this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

+1 from me. Passes test suite on RHEL8+9+CentOS Stream 10. Big thanks for 
RMing.

Also a CI pass: https://github.com/apache/httpd/actions/runs/8538499329

Regards, Joe

Participate in the ASF 25th Anniversary Campaign

[Brian Proffitt]

Hi everyone,

As part of The ASF’s 25th anniversary campaign[1], we will be celebrating
projects and communities in multiple ways.

We invite all projects and contributors to participate in the following
ways:

* Individuals - submit your first contribution:
https://news.apache.org/foundation/entry/the-asf-launches-firstasfcontribution-campaign
* Projects - share your public good story:
https://docs.google.com/forms/d/1vuN-tUnBwpTgOE5xj3Z5AG1hsOoDNLBmGIqQHwQT6k8/viewform?edit_requested=true
* Projects - submit a project spotlight for the blog:
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=278466116
* Projects - contact the Voice of Apache podcast (formerly Feathercast) to
be featured: https://feathercast.apache.org/help/
*  Projects - use the 25th anniversary template and the #ASF25Years hashtag
on social media:
https://docs.google.com/presentation/d/1oDbMol3F_XQuCmttPYxBIOIjRuRBksUjDApjd8Ve3L8/edit#slide=id.g26b0919956e_0_13

If you have questions, email the Marketing & Publicity team at
mark...@apache.org.

Peace,
BKP

[1] https://apache.org/asf25years/

[NOTE: You are receiving this message because you are a contributor to an
Apache Software Foundation project. The ASF will very occasionally send out
messages relating to the Foundation to contributors and members, such as
this one.]

Brian Proffitt
VP, Marketing & Publicity
VP, Conferences

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Stefan Eissing via dev]

> Am 03.04.2024 um 14:26 schrieb Eric Covener :
> 
> Hi all,
> 
> (After only minor embarrassment of patching tags/2.4.55 instead of 2.4.x...)
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a SHORTENED VOTE to release
> this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> = e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f
> = 
> baa96a7c9bba48f758ca9b3e3d63f0c65db960653618109d4d7bcbf3d4776d1d51453beb65e5af57655f0b1cfb88913842bc3a117fe7acc754ddb43d4524bc82
> 
> The SVN candidate source is found at tags/2.4.59-rc1-candidate.

+1 (macOS, 23.4.0, x86_64)

Thanks,
Stefan

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Eric Covener]

> I would like to call a SHORTENED VOTE to release
> this candidate tarball httpd-2.4.59-rc1 as 2.4.59:

my +1 (AIX/xlc/ppc64)

Only familiar t/ssl/proxy.t client auth issues with a openssl11 server

[VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Eric Covener]

Hi all,

(After only minor embarrassment of patching tags/2.4.55 instead of 2.4.x...)

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a SHORTENED VOTE to release
this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
= e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f
= 
baa96a7c9bba48f758ca9b3e3d63f0c65db960653618109d4d7bcbf3d4776d1d51453beb65e5af57655f0b1cfb88913842bc3a117fe7acc754ddb43d4524bc82

The SVN candidate source is found at tags/2.4.59-rc1-candidate.

Re: Failing test t/apache/pr64339.t

[Rainer Jung]

Am 03.04.24 um 09:52 schrieb Joe Orton:

On Tue, Apr 02, 2024 at 08:46:46PM -0400, Eric Covener wrote:

This could be due to none of these happening:
- mod_mime didn't send a charset from backend
- no BOM
- no xml2EncDefault (8859-1 effectively by default) on frontend

To make the conf match the test code, this works for me to address
mod_mime on the backend:


Yup. Sorry for wasting your time on this. Thanks for the commit, I had
the same change uncommitted locally still and missed it.


Thanks Eric for analyzing and fixing and Joe for confirming. The patch 
fixes it for me as well.


Best regards,

Rainer

Re: Failing test t/apache/pr64339.t

[Joe Orton]

On Tue, Apr 02, 2024 at 08:46:46PM -0400, Eric Covener wrote:
> This could be due to none of these happening:
> - mod_mime didn't send a charset from backend
> - no BOM
> - no xml2EncDefault (8859-1 effectively by default) on frontend
> 
> To make the conf match the test code, this works for me to address
> mod_mime on the backend:

Yup. Sorry for wasting your time on this. Thanks for the commit, I had 
the same change uncommitted locally still and missed it.