On Fri, Sep 21, 2018 at 12:31 PM Dennis Clarke <[email protected]> wrote:
> > Then this paragraph bugs me : > > This release requires the Apache Portable Runtime (APR), minimum > version 1.5.x, and APR-Util, minimum version 1.5.x. Some features > may require the 1.6.x version of both APR and APR-Util. The APR > libraries must be upgraded for all features of httpd to operate > correctly. > > To me Apache httpd is the big dog of web services platforms in the open > world and so I have to wonder what features go missing and what features > get enabled with the latest and greatest apr and apr-util bits. Feels > like yet another text link notes.txt or similar. Worse, that means an > actual test build and check of httpd with older apr bits. How horrific > would it be to merely change the language of that paragraph and draw a > line in the sand thus : > > > This release requires the Apache Portable Runtime (APR) and also > the Apache Portable Runtime Utility. The APR libraries must be > upgraded for all features of httpd to operate correctly. Not "features". The original APR 1.4.x packages, corresponding to the early httpd 2.4.x releases have known vulnerabilities to mitigate, which read on an httpd build's behavior. I believe "correctly" is not a sufficient caution. I agree with you, that specific features in httpd docs should spell out if an upgraded (post-1.4) flavor of apr[-util] is required for that feature.
