On Wednesday 12 June 2013, William A. Rowe Jr. wrote: > On Wed, 12 Jun 2013 05:41:35 -0700 (PDT) > > Petr Sumbera <petr.sumb...@oracle.com> wrote: > > Hi guys, > > > > shouldn't Apache 2.2 contain the same change which went for 2.4? > > > > http://svn.apache.org/viewvc?view=revision&revision=1400962 > > In principal, we do not change defaults in a released branch.
That's not true. It doesn't happen very often but it does happen. > This was altered after 2.4.0 was released, so obviously that > principal was not followed. Although there is no server > vulnerability addressed by this change, and although it is a flaw > in implementations (and far from all implementations) which that All web *browsers* that support compression are affected. Only non- browser clients are not affected. Calling that "far from all" stretches things a bit. > change addressed, it seems for consistency's sake that if the > project caused this to change in the release branch of 2.4 than it > should change in the release branch 2.2 as well. I agree that it should be changed in 2.2, too. But it seems no one had time to do it. > Perhaps this time, we entertain a proper vote rather than a pair of > devs electing to change defaults on a whim. Stable branches are > RTC for a reason. Huh? We had three devs voting for the backport. What more do you want?