On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski <j...@jagunet.com> wrote: > >> AFAICT there is no consensus. But is this really a blocker? > > > I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant > vulnerability > fixes (everyone seems very enamored with fuzz generators this past few > years.) > > It doesn't block creation of httpd-2.4.24.tar.gz, obviously. > > It does raise the question again of whether the httpd project can > distribute > a source code package on www.apache.org/dist/httpd/ which is not voted > on by the project, and whether it violates the spirit of the pmc consensus > to no longer be the distributor of dependencies which frequently fall into > a poorly maintained/updated state. > @VP Legal, is this worth an escalation? You didn't see fit to respond today, but I think this falls under the purview of your committee, w.r.t. unapproved release artifacts living at www.apache.org/dist/. Did you have any thoughts or opinions one way or another?
