On Wed, 12 Jun 2013 05:41:35 -0700 (PDT) Petr Sumbera <petr.sumb...@oracle.com> wrote:
> Hi guys, > > shouldn't Apache 2.2 contain the same change which went for 2.4? > > http://svn.apache.org/viewvc?view=revision&revision=1400962 In principal, we do not change defaults in a released branch. This was altered after 2.4.0 was released, so obviously that principal was not followed. Although there is no server vulnerability addressed by this change, and although it is a flaw in implementations (and far from all implementations) which that change addressed, it seems for consistency's sake that if the project caused this to change in the release branch of 2.4 than it should change in the release branch 2.2 as well. However, the time to change this was obviously in 2.2.24. It seems that a lack of attention to detail by those committers let this change escape scrutiny. I believe the change is outside of the scope which server authors should entertain, and it is up to the user agent authors to make an intelligent choice knowing the risks and lack of risks in their agent implementation but we aught to at least be consistent between stable release branches, that is, if 2.4 is actually qualifies as a stable branch. Perhaps this time, we entertain a proper vote rather than a pair of devs electing to change defaults on a whim. Stable branches are RTC for a reason.
