On Mon, Apr 27, 2026 at 8:43 AM Eric Covener <[email protected]> wrote: > > On Mon, Apr 27, 2026 at 8:34 AM Joe Orton <[email protected]> wrote: > > > > On Mon, Apr 27, 2026 at 06:37:04AM -0400, Eric Covener wrote: > > > On Mon, Apr 27, 2026 at 5:49 AM Joe Orton <[email protected]> wrote: > > > > > > > > On Sun, Apr 26, 2026 at 12:49:23PM -0400, Eric Covener wrote: > > > > > The candidate source is found at > > > > > <https://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.67-rc1-candidate> > > > > > and at <https://github.com/apache/httpd/tree/2.4.67-rc1-candidate>. > > > > > > > > As CI shows, the mod_auth_digest build is broken if apr-util is built > > > > without crypto support, I had not realised that the apr_crypto_equals() > > > > function is inside an "#if APU_HAVE_CRYPTO". The implementation of that > > > > function doesn't actually depend on any crypto library. > > > > > > > > Not sure if we can change that in an apr-util patch release, probably > > > > requires apr-util 1.7.x. Maybe necessary to have mod_auth_digest depend > > > > on APU_HAVE_CRYPTO for now, I will make that change in trunk. > > > > > > > > (Not sure if I'd consider this a showstopper for that RC, still running > > > > other tests) > > > > > > We could pull the ap_crypto_equals() stuff up somewhere common from > > > modules/session/mod_session_crypto.c > > > > I took that and ran with it, wrapping the APR 1.8+ _timingsafe() > > functions: https://github.com/apache/httpd/pull/638 > > > > +1 to backport if CI works. > > The tedious parts of the release are not really multiplied by a new > candidate, so it is not a big deal to respin. > Might shorten the vote a little though.
FYI not planning to abandon rc1, will just follow it up.
