On Wed, Dec 28, 2016 at 9:13 AM, Jim Jagielski <j...@jagunet.com> wrote:
> cPanel too... They are moving to EA4 which is Apache 2.4. > If not moved yet, that example wouldn't be helpful, it reinforces my point four years later. But EA itself seems to track pretty closely to the most contemperanious versions, looks like within a month. So the idea that supplemental (ie: 2.4.x->2.4.y) patches don't > have the reach or range of larger ones (2.4.x->2.6/3.0) isn't > quite accurate. > It's entirely accurate. It isn't all-encompassing. We have that data too, let's tear down SecuritySpace's Nov '16 dataset; http://www.securityspace.com/s_survey/data/201611/servers.html First off, if you follow that link, you'll find much larger numbers associated to those specific revisions shipped with the likes of RHEL or CentOS, Ubuntu (particularly -LTS flavors), etc etc etc. That was my contention in the top post. But let's quantify 'accuracy' as you defined it in the reply... Specific Revision Of all Most Recent Of m.m Of all Apache/1.3.x 391898 3.33% 1.3.42 42392 10.82% 0.36% Apache/2.0.x 551117 4.68% 2.0.64 36944 6.70% 0.31% Apache/2.2.x 7129391 60.49% 2.2.31 1332448 18.78% 11.31% Apache/2.4.x 3713364 31.51% 2.4.17+ 1502061 42.90% 12.74% 11785770 2.4.23 754385 21.54% 6.40% The applicable data are 37.47% of all 'Apache[/n[.n[.n]]]' items, meaning that some 2/3rds of users drop the ServerTokens down to product only or major version only, and we can't derive anything useful from them, so we will ignore the Apache and Apache/2 references for our % evaluations, 'Of all' refers to those with at least Apache/2.x designations. I included 2.4.17-2.4.23 as an item, because that group are the versions that released within the past year of this particular survey data (that does include the then-current 2.4.23.) The 'Of m.m' - same major.minor - backs out that Apache/2.x (without a known subversion) from the calculation because we can't tell whether they are the corresponding or a different subversion. Of httpd users we can quantify, 6.4% updated within months of the 2.4.23 release (your 'power users' classification.) That minority doesn't move the needle much on total adoption of httpd vs. others. Only 11.3% bothered to pick up the final 2.2.31 that has been out over a year, and combined with 12.74% running some 2.4.17...2.4.23, *** only 24% *** run a version that had been a current release within the preceding year. E.g. of those running a somewhat-current version, more than 1/4 are running the July 2.4.23 release by the end of November. Note that Fedora 25 didn't move the needle much on this, it shipped GA in December. aren't the ones we are talking about in the 1st place. We are > talking about real, "power" users, who want/need the latest > and greatest. > Not if you are talking overall adoption rate. As illustrated, those users adopting 2.4.23 already are an nearly accidental minority, after 5 mos half of the 'current' 2.4 users are running 2.4.23, the other half are running a flavor between 12 and 6 mos old. That looks like overall random distribution by deployment date, with no particular effort expended on 'staying current'.