Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2021-03-08 Thread Yann Ylavic 
On Mon, Mar 8, 2021 at 6:00 PM Ruediger Pluem  wrote:
>
> I would be willing to vote again with a +1 if Joe is willing to roll 2.16 
> with just that change over 2.15.

+1

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2021-03-08 Thread Christophe JAILLET 

Le 08/03/2021 à 18:00, Ruediger Pluem a écrit :



On 3/8/21 5:40 PM, Steve Hay wrote:

On Tue, 23 Feb 2021 at 10:20, Joe Orton  wrote:


On Mon, Feb 22, 2021 at 03:57:25PM +, Steve Hay wrote:

On Fri, 13 Nov 2020 at 16:43, Joe Orton  wrote:


Thanks all for testing, the vote has passed:

PMC votes +1: ylavic, rpluem, covener
Community +1: stevehay

(Steve, looks like we need to get you on the httpd PMC!)

and no -1 votes.

I'll promote the release & prep the announcement mail.



I think these releases normally go to Perl's CPAN as well (it is item
12 in build/RELEASE), but I don't see 2.15 here:
https://metacpan.org/release/libapreq2

Do you have perms to upload there? If not then I don't mind trying to
see if I can do it. (I've done mod_perl releases before, so it might
work ;-))





The simplest way for us to fix this is to release a 2.16 with a
corrected META.yml. I've just committed rev. 1887336 to fix the
generation of the META.yml file for our next release.




I would be willing to vote again with a +1 if Joe is willing to roll 2.16 with 
just that change over 2.15.

Regards

Rüdiger




Hi,

should a new release be done quickly, BZ 56598 and maybe BZ 52370 should 
be looked at.


It looks like easy to check and test patches.
I've not svn'ed this repo so far, I won't be able to do so in the near 
future.



Just my 2c
CJ

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2021-03-08 Thread Ruediger Pluem 



On 3/8/21 5:40 PM, Steve Hay wrote:
> On Tue, 23 Feb 2021 at 10:20, Joe Orton  wrote:
>>
>> On Mon, Feb 22, 2021 at 03:57:25PM +, Steve Hay wrote:
>>> On Fri, 13 Nov 2020 at 16:43, Joe Orton  wrote:

 Thanks all for testing, the vote has passed:

 PMC votes +1: ylavic, rpluem, covener
 Community +1: stevehay

 (Steve, looks like we need to get you on the httpd PMC!)

 and no -1 votes.

 I'll promote the release & prep the announcement mail.

>>>
>>> I think these releases normally go to Perl's CPAN as well (it is item
>>> 12 in build/RELEASE), but I don't see 2.15 here:
>>> https://metacpan.org/release/libapreq2
>>>
>>> Do you have perms to upload there? If not then I don't mind trying to
>>> see if I can do it. (I've done mod_perl releases before, so it might
>>> work ;-))
>>

> The simplest way for us to fix this is to release a 2.16 with a
> corrected META.yml. I've just committed rev. 1887336 to fix the
> generation of the META.yml file for our next release.
> 


I would be willing to vote again with a +1 if Joe is willing to roll 2.16 with 
just that change over 2.15.

Regards

Rüdiger

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2021-03-08 Thread Steve Hay 
On Tue, 23 Feb 2021 at 10:20, Joe Orton  wrote:
>
> On Mon, Feb 22, 2021 at 03:57:25PM +, Steve Hay wrote:
> > On Fri, 13 Nov 2020 at 16:43, Joe Orton  wrote:
> > >
> > > Thanks all for testing, the vote has passed:
> > >
> > > PMC votes +1: ylavic, rpluem, covener
> > > Community +1: stevehay
> > >
> > > (Steve, looks like we need to get you on the httpd PMC!)
> > >
> > > and no -1 votes.
> > >
> > > I'll promote the release & prep the announcement mail.
> > >
> >
> > I think these releases normally go to Perl's CPAN as well (it is item
> > 12 in build/RELEASE), but I don't see 2.15 here:
> > https://metacpan.org/release/libapreq2
> >
> > Do you have perms to upload there? If not then I don't mind trying to
> > see if I can do it. (I've done mod_perl releases before, so it might
> > work ;-))
>
> I have never submitted anything to CPAN before, so if you are set up to
> do it, that'd be great, please go ahead!
>

Apologies for the delay in getting back to you on this. I uploaded the
file but there have been problems getting it correctly indexed -
partly due to me initially not having the required permissions (now
resolved by the CPAN admins), but also partly due to a weakness in our
META.yml file.

The distro is now on MetaCPAN, but as you can see here many modules
are listed as UNAUTHORIZED: https://metacpan.org/release/libapreq2

The problem is that our META.yml file fails to include the "file"
attribute for each item in the "provides" list. The "file" attribute
is now a *required* attribute -- see
https://metacpan.org/pod/CPAN::Meta::Spec#file1

The file is therefore regarded as invalid and MetaCPAN constructs its
own file instead, but includes every file within the distro, many of
which are not candidates for indexing and it all goes wrong...

The simplest way for us to fix this is to release a 2.16 with a
corrected META.yml. I've just committed rev. 1887336 to fix the
generation of the META.yml file for our next release.

Is there any appetite for a quick release of 2.16 to resolve this
indexing issue?

If not then we can leave it until whenever we next naturally make a
release, and in the meantime it may be possible for the CPAN admins to
fix up the indexing temporarily, but I think it's more trouble for
them than a quick release would be for us.

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2021-02-23 Thread Joe Orton 
On Mon, Feb 22, 2021 at 03:57:25PM +, Steve Hay wrote:
> On Fri, 13 Nov 2020 at 16:43, Joe Orton  wrote:
> >
> > Thanks all for testing, the vote has passed:
> >
> > PMC votes +1: ylavic, rpluem, covener
> > Community +1: stevehay
> >
> > (Steve, looks like we need to get you on the httpd PMC!)
> >
> > and no -1 votes.
> >
> > I'll promote the release & prep the announcement mail.
> >
> 
> I think these releases normally go to Perl's CPAN as well (it is item
> 12 in build/RELEASE), but I don't see 2.15 here:
> https://metacpan.org/release/libapreq2
> 
> Do you have perms to upload there? If not then I don't mind trying to
> see if I can do it. (I've done mod_perl releases before, so it might
> work ;-))

I have never submitted anything to CPAN before, so if you are set up to 
do it, that'd be great, please go ahead!

Regards, Joe

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2021-02-22 Thread Steve Hay 
On Fri, 13 Nov 2020 at 16:43, Joe Orton  wrote:
>
> Thanks all for testing, the vote has passed:
>
> PMC votes +1: ylavic, rpluem, covener
> Community +1: stevehay
>
> (Steve, looks like we need to get you on the httpd PMC!)
>
> and no -1 votes.
>
> I'll promote the release & prep the announcement mail.
>

I think these releases normally go to Perl's CPAN as well (it is item
12 in build/RELEASE), but I don't see 2.15 here:
https://metacpan.org/release/libapreq2

Do you have perms to upload there? If not then I don't mind trying to
see if I can do it. (I've done mod_perl releases before, so it might
work ;-))

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2020-11-15 Thread Ruediger Pluem 



On 11/13/20 5:43 PM, Joe Orton wrote:
> Thanks all for testing, the vote has passed:
> 
> PMC votes +1: ylavic, rpluem, covener
> Community +1: stevehay
> 
> (Steve, looks like we need to get you on the httpd PMC!)
> 
> and no -1 votes.
> 
> I'll promote the release & prep the announcement mail.

Thanks for RM, moving this forward and get the long standing CVE fixed.

Regards

Rüdiger

[RESULT: PASS] Re: [VOTE] Release libapreq2-2.15

2020-11-13 Thread Joe Orton 
Thanks all for testing, the vote has passed:

PMC votes +1: ylavic, rpluem, covener
Community +1: stevehay

(Steve, looks like we need to get you on the httpd PMC!)

and no -1 votes.

I'll promote the release & prep the announcement mail.

Regards, Joe

Re: [VOTE] Release libapreq2-2.15

2020-11-06 Thread Steve Hay 
On Thu, 5 Nov 2020 at 16:39, Joe Orton  wrote:
>
> Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
>
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
>
> This release is mainly to address a security issue in libapreq2 which
> has been outstanding for over a year, CVE-2019-12412.
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as v2.15:
>
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>

+1 I think. At least it has the Win32 build fixes that have been
unreleased for ages, so thanks for making this release.

I am getting a test failure (Windows 10, VS2019 v16.7.3, httpd 2.4.41,
perl 5.30.1), but this was happening with the unreleased "2.14" that
I've been using recently anyway. Verbose output:

D:\Dev\Temp\libapreq2-2.15\glue\perl>perl.exe -Iblib\arch -Iblib\lib
t\TEST -verbose=1 t\apreq\cgi.t
[...]
t\apreq\cgi.t ..
# writing file: D:\Dev\Temp\libapreq2-2.15\glue\perl\t\cgi-bin\test_cgi.pl
1..71
# Running under perl version 5.030001 for MSWin32
# Current time local: Fri Nov  6 17:19:49 2020
# Current time GMT:   Fri Nov  6 17:19:49 2020
# Using Test.pm version 1.31
# Using Apache/Test.pm version 1.42
[...]
ok 31
Odd number of elements in hash assignment at t\apreq\cgi.t line 197.
# removing file: D:\Dev\Temp\libapreq2-2.15\glue\perl\t\cgi-bin\test_cgi.pl
# removing dir tree: D:\Dev\Temp\libapreq2-2.15\glue\perl\t\cgi-bin
Dubious, test returned 9 (wstat 2304, 0x900)
Failed 40/71 subtests

I get this in the error_log:

[Fri Nov 06 17:19:56.558841 2020] [cgi:error] [pid 24136:tid 1104]
[client 10.93.12.29:54076] End of script output before headers:
test_cgi.pl
[Fri Nov 06 17:19:56.558841 2020] [cgi:error] [pid 24136:tid 1104]
[client 10.93.12.29:54076] AH01215: test_cgi.pl(20): Creating
APR::Request::CGI object\r:
D:/Dev/Temp/libapreq2-2.15/glue/perl/t/cgi-bin/test_cgi.pl
[Fri Nov 06 17:19:56.558841 2020] [cgi:error] [pid 24136:tid 1104]
[client 10.93.12.29:54076] AH01215: $param->upload_tempname($req):
can't make spool bucket at
D:\\Dev\\Temp\\libapreq2-2.15\\glue\\perl\\blib\\lib/APR/Request/Param.pm
line 37.\r: D:/Dev/Temp/libapreq2-2.15/glue/perl/t/cgi-bin/test_cgi.pl
[Fri Nov 06 17:19:56.559839 2020] [http:trace3] [pid 24136:tid 1104]
http_filters.c(1125): [client 10.93.12.29:54076] Response sent with
status 500, headers:

Don't let this hold up the release since it isn't a new problem.

Re: [VOTE] Release libapreq2-2.15

2020-11-05 Thread Yann Ylavic 
[X] +1: It's not just good, it's good enough!

All tests pass here.

Thanks Joe for RMing!


Regards;
Yann.

Re: [VOTE] Release libapreq2-2.15

2020-11-05 Thread Eric Covener 
On Thu, Nov 5, 2020 at 11:40 AM Joe Orton  wrote:
>
> Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
>
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
>
> This release is mainly to address a security issue in libapreq2 which
> has been outstanding for over a year, CVE-2019-12412.
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as v2.15:
>
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> SHA1/256/512 checksum for the tarball are as follows:
>
> 2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d  libapreq2-2.15.tar.gz
> 4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494  
> libapreq2-2.15.tar.gz
> abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701
>   libapreq2-2.15.tar.gz
>
> The release is prepared from:
> https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146
>
> Regards, Joe


+1 based on diff to 2.13

Re: [VOTE] Release libapreq2-2.15

2020-11-05 Thread Ruediger Pluem 



On 11/5/20 5:39 PM, Joe Orton wrote:
> Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
> 
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
> 
> This release is mainly to address a security issue in libapreq2 which 
> has been outstanding for over a year, CVE-2019-12412.
> 
> I would like to call a VOTE over the next few days to release this
> candidate tarball as v2.15:
> 
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> SHA1/256/512 checksum for the tarball are as follows:
> 
> 2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d  libapreq2-2.15.tar.gz
> 4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494  
> libapreq2-2.15.tar.gz
> abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701
>   libapreq2-2.15.tar.gz
> 
> The release is prepared from: 
> https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146
> 

Regards

Rüdiger

Re: [VOTE] Release libapreq2-2.15

2020-11-05 Thread Fossies Administrator 

Hi Joe,


Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:

https://dist.apache.org/repos/dist/dev/httpd/libapreq/

This release is mainly to address a security issue in libapreq2 which
has been outstanding for over a year, CVE-2019-12412.

I would like to call a VOTE over the next few days to release this
candidate tarball as v2.15:

[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

SHA1/256/512 checksum for the tarball are as follows:

2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d  libapreq2-2.15.tar.gz
4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494  
libapreq2-2.15.tar.gz
abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701
  libapreq2-2.15.tar.gz

The release is prepared from:
https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146

Regards, Joe


Sorry, not a vote but just a small information:

Similar to the httpd project itself
(see https://bz.apache.org/bugzilla/show_bug.cgi?id=63923)
I had generated now on the FOSS server fossies.org also a codespell report 
for the libapreq2-2.15.tar.gz tarball:


 https://fossies.org/linux/test/libapreq2/codespell.html

That version-independent URL should be available at least for some days 
and should redirect always to the last report (if available), so currently to


 https://fossies.org/linux/test/libapreq2-2.15.tar.gz/codespell.html

By the way, the used special "test" folder isn't really integrated into 
the standard Fossies services and should not be accessible to search 
engines either.


Although the correction of misspellings and typos has probably not a top 
priority, I hope that the report can nevertheless be a little bit useful.


Regards

Jens

--
FOSSIES - The Fresh Open Source Software archive
mainly for Internet, Engineering and Science
https://fossies.org/

[VOTE] Release libapreq2-2.15

2020-11-05 Thread Joe Orton 
Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:

https://dist.apache.org/repos/dist/dev/httpd/libapreq/

This release is mainly to address a security issue in libapreq2 which 
has been outstanding for over a year, CVE-2019-12412.

I would like to call a VOTE over the next few days to release this
candidate tarball as v2.15:

[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

SHA1/256/512 checksum for the tarball are as follows:

2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d  libapreq2-2.15.tar.gz
4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494  
libapreq2-2.15.tar.gz
abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701
  libapreq2-2.15.tar.gz

The release is prepared from: 
https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146

Regards, Joe