I believe the opposite, that the announcement 2.4 contains enhancements, bug fixes, and security fixes, and 2.2 legacy containing security fixes will set user expectations. A later 2.2 announce muddies the waters when users ponder if it is 'current' and sufficient. We have language in both files to clarify this, but still...
Another way to put it is that 2.2.30 shouldn't be a headline and receive its own announcement, but sit as a sidebar of our significant public message that 2.4 release is out. But withholding a security fix for legacy server users? Sounds like a way to earn distrust of the user community, not reassure them that 2.4.14 is the best version available. Whose interest does that serve? Not ours, it leaves the risk in place between 2.2 and 2.4 instances because request splitting attacks require agents to interpret request length indications differently. Updating every affected server is the responsible action by the user, and a security release is rarely a smart moment in time to perform a major upgrade (config changes etc) without proper testing of those configs and services. On Jun 11, 2015 4:27 AM, "Steffen" <i...@apachelounge.com> wrote: > Not so happy to roll 2.2.30 in conjunction with 2.4.14. > > It does not stimulate pp to upgrade to 2.4., it suggest that the > httpd-project gives 2.2 (legacy) the same priority as 2.4. > > Better first 2.4 and after some time 2.2. I do not agree with the argument > to simplify the announcement. > > > > *From:* William A Rowe Jr <wr...@rowe-clan.net> > *Sent:* Thursday, June 11, 2015 4:54 AM > *Newsgroups:* gmane.comp.apache.devel > *To:* httpd <dev@httpd.apache.org> > *Subject:* Re: Review of 2.2.x security patch sought. > > Just a quick /nag that I'm happy to roll 2.2.30 in conjunction with > 2.4.14, > so that we present both to the community at the same time, and simplify > the announcement. This patch still needs a third +1 to be adopted (it is > already in trunk, and in the 2.4.14 Jim will be tagging & rolling shortly). > > ... > ... > ... >
