Distributing httpd-2.2, redux

[William A. Rowe, Jr.]

We've brought this up before and it sure didn't seem clear that we are
all of one mind on the issue (and the last opinions were registered
quite some time ago.)

We've agreed that httpd won't be tagging it's own apr, we will release
based on some minimum version (major.minor - since .subversion of apr
must remain binary forwards  backwards compatible from x.y.0 to x.y.n).
Right now for 2.1-dev that's 1.2, and might end up 1.3. or even 2.0 when
we are ready to declare httpd 2.2.0-GA.

We've agreed that httpd can pick up an installed apr (provided the
minimum version requirement is met.)  Likewise, apr and apr-util have
decided to pick up system iconv and expat.  (We shouldn't do that to
GNU libiconv without explicit decision by the user, but if it's the GNU
iconv bundled in libc.so - then it's bound by the same libc exception
clause.)

I don't know what httpd does w.r.t. pcre offhand.

On Win32 we've shipped httpd-2.0 source bundles with apr-iconv, while on
unix distributions we simply choke on enabling apr_xlate() and the
mod_charset_lite build.

So where do we stand?

  * Ship httpd-2.2.x.tar.gz without apr?  Then also drop pcre.
It seems that apr would equivilantly drop expat/iconv.

  * Ship httpd-2.2.x.tar.gz with a specific apr?  Then bundle expat,
pcre, and iconv?

One interesting synthisis we came up with on the #apr channel... what
if the desires/needs of both packaging folks (who want individual
components) and end users building from scratch could both be met?

  * Ship httpd-2.2.x.tar.gz (solo), and httpd-2.2.x-bundle.tar.gz which
includes all the sub-packages the user should likely need (including
pcre/apr/-util/expat/-iconv/)?  Perhaps even zlib/openssl?

Well there's the question, should we try to serve both, or argue over
which bits are bundled and which the user obtains/installs seperately.

Comments?

Bill

Re: Distributing httpd-2.2, redux

[Justin Erenkrantz]

--On September 30, 2005 1:43:50 PM -0500 William A. Rowe, Jr. 
[EMAIL PROTECTED] wrote:



   * Ship httpd-2.2.x.tar.gz (solo), and httpd-2.2.x-bundle.tar.gz which
 includes all the sub-packages the user should likely need (including
 pcre/apr/-util/expat/-iconv/)?  Perhaps even zlib/openssl?


IIRC, Subversion has already decided to go down this path for it's upcoming 
1.3.0 series.  So, I'm not adverse to this idea for httpd either.  It 
offers a compromise solution for our users - at the expense of some 
additional mirror space.  We'd have to be careful to document what's what 
too so our users don't get confused by the additional options.


(I would be against distributing anything beyond our 'bare' minimums - so 
no zlib or OpenSSL.)


My only comment about unbundling pcre is that we're *very* particular about 
the pcre version.  Most OS distribution's versions of pcre aren't even 
close to being acceptable. We can't rely on any OS-native regex engines 
either as they aren't sufficient.  For expat and iconv, any installed 
version will likely be satisfactory.  So, I think pcre must stay.  -- justin

Re: Distributing httpd-2.2, redux

[William A. Rowe, Jr.]

Justin Erenkrantz wrote:


(I would be against distributing anything beyond our 'bare' minimums - 
so no zlib or OpenSSL.)


I'll agree on the openssl count, although we really are only supporting
later 0.9.6/0.9.7 and focusing on 0.9.8.

But given how lightweight zlib is, and how much of a moving target it
was before 1.2.3, I'd strongly argue that 'deflate' is a core feature,
that if we teach httpd to 'reinflate' there are many old vulnerabilites
that we expose our users to, and that shipping 1.2.3 would add very
little pain for much mod_deflate gain.

My only comment about unbundling pcre is that we're *very* particular 
about the pcre version.


Then we should scream loudly if they don't grab the -bundle package that
their system pcre is quite crufty and can't be used?

Re: Distributing httpd-2.2, redux

[r . pluem]

William A. Rowe, Jr. wrote:
 Justin Erenkrantz wrote:
 

[..cut..]

 
 My only comment about unbundling pcre is that we're *very* particular
 about the pcre version.
 
 
 Then we should scream loudly if they don't grab the -bundle package that
 their system pcre is quite crufty and can't be used?
 

As far as I understood Justin, most OS'es do not deliver a usable pcre version
(cannot judge this myself).
So if most users are forced for that reason to download the bundle tar ball
I think the whole split in two tar's does not seem to make sense. So I guess
pcre should stay coupled with the core httpd tar bundle and everything else
can be moved to the bundle tar ball.

Regards

Rüdiger

Re: Distributing httpd-2.2, redux

[Gregor J. Rothfuss]

William A. Rowe, Jr. wrote:


But given how lightweight zlib is, and how much of a moving target it
was before 1.2.3, I'd strongly argue that 'deflate' is a core feature,
that if we teach httpd to 'reinflate' there are many old vulnerabilites
that we expose our users to, and that shipping 1.2.3 would add very
little pain for much mod_deflate gain.


it might be worth turning mod_deflate on by default. there are still too 
many sites out there that do not have it on.