On 23.09.2013 11:17, Joe Orton wrote: > On Sun, Sep 22, 2013 at 12:32:23PM +0200, Kaspar Brand wrote: >> Feedback on this approach is again very welcome. Increasing the minimum >> required OpenSSL version from 0.9.7 to 0.9.8a shouldn't be of concern, >> IMO, as 0.9.7 is no longer maintained, and 0.9.8a was released in >> October 2005 already. > > I'd guess this is uncontroversial for trunk, but might be worth flagging > up in a separate thread since people did care about 0.9.7 last time we > had a poll. Or you could just slip it in and anybody who is not paying > attention to dev@ can suffer the consequences ;)
Ok, let's do that then. For the sake of completeness: these are the threads started in May 2010 and July 2011, respectively: https://mail-archives.apache.org/mod_mbox/httpd-dev/201005.mbox/%3c20100525124551.ga11...@redhat.com%3E https://mail-archives.apache.org/mod_mbox/httpd-dev/201107.mbox/%3c4e35065d.30...@velox.ch%3E In the first thread, Joe asked about going straight to 1.0[.0], and people were mostly concerned about 0.9.8 (not 0.9.7) at that time. See e.g. https://mail-archives.apache.org/mod_mbox/httpd-dev/201005.mbox/%3ca40a83c6-5030-4226-a09a-a6393cb6e...@apache.org%3E https://mail-archives.apache.org/mod_mbox/httpd-dev/201006.mbox/%3c4c0535a9.10...@kippdata.de%3E What I put together about two years ago is still true: > Some more data points: > > - the last OpenSSL 0.9.6 release (0.9.6m) is from March 2004 > > - OpenSSL 0.9.8 was released in July 2005 > > - the last OpenSSL 0.9.7 release (0.9.7m) is from February 2007 > > - OpenSSL 1.0.0 was released in March 2010 > > I.e., no one should try to compile trunk against OpenSSL 0.9.6 these > days, IMO (and even 0.9.7 isn't really a good idea, as the official > releases are no longer maintained). Speaking of mod_ssl in 2.4.x, I can hardly imagine that OS vendors which consider shipping 2.4 (as opposed to 2.2) would still want to compile this against OpenSSL 0.9.7 (even Solaris is now at 1.0.0, FYI). So, QUESTION: is there anyone who still thinks that going to OpenSSL 0.9.8a for trunk (and very likely for 2.4.x, when backporting) is a bad idea? If so, please raise your voice. Kaspar
