Jim Jagielski wrote: > > On Oct 2, 2007, at 2:36 PM, Jeff Trawick wrote: > >> On 10/2/07, Jim Jagielski <[EMAIL PROTECTED]> wrote: >>> >>> On Oct 1, 2007, at 6:52 PM, William A. Rowe, Jr. wrote: >>> >>>> William A. Rowe, Jr. wrote: >>>>> >>>>> Give that some thought :) >>>> >>>> One thing I'm pondering is a 2.3.0 alpha in the near future. >>>> >>>> If only to give the "we stay back at version n.x-1" crowd something >>>> to chew on. >>>> >>>> Not to mention that it would be good for folks to start exploring >>>> what needs to be fixed in the API, etc. >>>> >>> >>> Well, we could do: >>> >>> o Apache 1.3 and 2.0 deprecated >> >> (deprecated == no fixes after some date) >> >> Somebody somewhere will patch 1.3.last with security fixes for >> newly-discovered vulnerabilities. If nowhere visible/common, then >> possibly 100s of individuals will be doing that for themselves. Is >> there really enough value in making a statement that we disagree with >> those many servers continuing to run 1.3 to justify sending Apache >> users somewhere else for fixes? >> >> (When there are fewer than 3 httpd developers willing to >> review/approve/publish security fixes for 1.3, this is of course >> irrelevant.) >> > > As one of the very few remaining 1.3 developers, I both want > to not cut off 1.3 users at the knees, but nor do I want > us to keep holding onto a codebase which is really not > being developed anymore... I don't think it's so much > a statement that "you need to move on" but rather "*we* (the > ASF) have moved on" from 1.3...
So, the first step is to cut out any illusion that new features are going into 1.3, with a statement like this: Starting in January 2008, only critical security issues will be fixed in Apache HTTP Server versions 1.3.x or 2.0.x. I honestly believe we will be somewhat responsible for fixing any major security issues in 1.3 and 2.0 for the next 5-10 years, unless Waka suddenly explodes and replaces http :-) Thoughts?
