On Mon, Jan 17, 2022, 09:37 Ruediger Pluem <rpl...@apache.org> wrote:
> > > On 1/17/22 4:05 PM, Joe Orton wrote: > > On Sun, Jan 16, 2022 at 03:35:15PM -0600, William A Rowe Jr wrote: > >> 4 day ago, you all saw this. 6 years ago, you all started using this on > trunk. > >> > >> Don't know what I can to do help this along and honor the library > >> author's wishes for all of us to walk away from the dead fork, and use > >> the maintained fork. It's whatever it is, I'm out of here and removing > >> the backport application branch, whoever 3rd upvotes this be prepared > >> to apply this for us all, thanks. > > > > I'm fine with PCRE 10.x as a trunk/2.5 feature. PCRE upstream have > > maintained 8.x better than e.g. zlib upstream have done in recent years > > (last zlib release in 2017). So I don't find the fact it's considered > > EOL upstream presents any particular urgency, it's still supported > > downstream on platforms people deploy to. > > > > For 2.4.x I would argue it's better to keep a preference for 8.x over > > 10.x so that users aren't switched from one to the other across an > > upgrade - with some new performance trade-off we know about - without > > changing the environment/configure line? > > Sounds sensible for Linux to keep the default to 8.x if found where people > can expect their distribution to maintain stuff provided that the > distribution is still maintained. > I am not so sure for other platforms especially Windows where I guess that > people get stuff > more often directly from upstream. > Sensible? Did you read the memo at pcre.org? There will be no more evaluations of security risks on the abandoned fork and we were told this back in May 2021. Do you still have the same posture? Some of us spent the last 5 years arguing for httpd.next, and I resigned over it. Your call, you are PMC and I choose not to be.
