>From my perspective - as a simple packager (re: openssl - old versions) I run into the problem of only being able to get to 0.9.8.k (AIX 5.3 TL12). With AIX 6.1 and 7.1 it would be openssl-1.0.0(something - do not know by memory what patchlevel IBM openssl.base is at). Personally, I am going to look at packaging against LibreSSL. There are only three #ifdefs I needed to add to get it to build. My apologies for being so late with saying anything about this (I have been busy with 'regular' work.
I will start a new thread later today - and do it again from trunks of 2.2.x, 2.4.x and 2.5.x. In short, there are ways around dependencies on old versions of openssl on AIX. And further, if a 'user' is not willing to upgrade their OpenSSL - why would you think they are going to upgrade to the latest httpd-2.2.x (or any version for that matter). The rules change - and we (read "me and other users") cannot reasonably claim "latest and greatest from ASF" while requiring support for insecure openssl. IMHO - you, ASF, also have an implied responsibility to the users of Apache httpd powered sites. Being backward compatible too long keeps weaknesses alive. Michael p.s. - for what is is worth +1 to drop 0.9.7 (maybe even 0.9.8 - but must test more) Michael On Thu, May 7, 2015 at 11:50 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > +1 > > On Thu, May 7, 2015 at 6:45 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > Looking at the proposals in RFC 7525, I'm thinking this is a good time to > > re-sync > > httpd to these guidelines, even if it defers these releases by a week. > > WDYT? > > > > Bill > > > > On Fri, May 1, 2015 at 6:42 AM, Jim Jagielski <j...@jagunet.com> wrote: > >> > >> Yeah... I was gonna propose that once I had the weekend > >> to take a more in-depth look at 2.4... But I am +1 for > >> a release v. soon. > >> > >> Yeah, I'll RM 2.4 > >> > On Apr 30, 2015, at 5:52 PM, William A Rowe Jr <wr...@rowe-clan.net> > >> > wrote: > >> > > >> > On Thu, Apr 2, 2015 at 4:46 PM, William A. Rowe Jr. > >> > <wr...@rowe-clan.net> wrote: > >> > On Tue, 31 Mar 2015 10:49:47 -0400 > >> > Jim Jagielski <j...@jagunet.com> wrote: > >> > > >> > > BTW: Would it make sense to consider a release of 2.4.13 in April > >> > > to coincide w/ ApacheCon? > >> > > >> > We've historically produced a release at the beginning of the con. > >> > It worked really well when we would hackathon two days, then retire > >> > to do other con stuff for the balance of the event with a new > >> > release in the hopper looking for votes. > >> > > >> > I'd love to see us tag and roll releases based on our efforts > >> > throughout the entire gathering, sometime in that following week. > >> > I offer to T&R an update of 2.2 as well to pick up any issues we > >> > resolve over the course of that week. > >> > > >> > It seems that we have 2 groups of good things to come out of > ApacheCon, > >> > some immediate fixes for things like BSD project efforts, some pretty > >> > straightforward defects that have been resolved... and then there's a > >> > bunch > >> > of energy about enhancements and the h2 universe. > >> > > >> > In the short term, WDYT about giving the trees a week to settle, grab > >> > the > >> > low hanging fruit and move forward for 2.4.13 and 2.2.30 end of this > >> > coming > >> > week? Guessing Jim's up for RM'ing 2.4.13, and I'm happy to T&R > 2.2.30 > >> > in tandem. > >> > > >> > Concerns / observations / thoughts? > >> > > >> > Bill > >> > > >
