On Tue, Mar 13, 2018 at 3:53 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Tue, Mar 13, 2018 at 9:34 PM, <wr...@apache.org> wrote: >> Author: wrowe >> Date: Tue Mar 13 20:34:36 2018 >> New Revision: 25693 >> >> Log: >> Drop unsupported files from the distribution site. >> >> These remain available from http://archive.apache.org/dist/httpd/ >> >> >> Removed: > [] >> release/httpd/patches/apply_to_2.2.34/ > > Why? First this directory was not empty (IIRC), and I think it could > be used to provide security/bug patches for RIP 2.2, maybe some of us > still have to make legacy 2.2 work and can share. > It looked like the last place (with docs) to worth some/possible updates...
Here's the issue, with publishing 2.2 patches + security errata on an ongoing basis. If we are publishing these ongoing as "advised", we are taking the responsibility to continue to offer that advise and recommendations for any patches we are aware of that mitigate vulnerabilities. As we decided a long while back (and reaffirmed in a recent poll) that we aren't actually referring back to 2.2.x sources when we evaluate and publish advise on CVE-2018-next... well, then it's actually irresponsible to publish the corresponding source tarball or cumulative patchset on an ongoing basis. That said, it wasn't deleted. https://archive.apache.org/dist/httpd/?P=httpd-2.2.34* is still available. If we decide not to continue publication of an unsupported package, why would the patches/ continue to reside where the source package cannot be found? As you can see, they are right alongside the current location of that package; https://archive.apache.org/dist/httpd/patches/apply_to_2.2.34/ Additional thoughts? Cheers, Bill
