Re: Change from ad-hoc/historical security process to ASF process?

2017-05-22 Thread Yann Ylavic 
On Sun, May 7, 2017 at 3:17 AM, William A Rowe Jr  wrote:
> On May 5, 2017 13:32, "Jim Jagielski"  wrote:
>
> +1... Lets do it.
>
> BTW, I would adjust #16 to include:
>
>Add the CVE to the CHANGES file.
>
> That way, it's still documented in CHANGES, just after the release
> is spun out, show it shows up in the next release's CHANGES.
>
>
> ... And if we follow through, the copy on httpd.a.o/dist/httpd/ (both 2.x
> and 2.x.y files) can be the annotated flavors.  +1 from me.

+1 here too.

Re: The drive for 2.4.26

2017-05-22 Thread Gregg Smith 

Yes it did, thanks for following up.

On 5/22/2017 9:23 AM, Jacob Champion wrote:

On 04/20/2017 01:06 PM, Gregg Smith wrote:

This is ApacheBench, Version 2.3 <$Revision: 1750960 $>
Same result with trunk, it just hangs.

Glad it's not just Windows!


Gregg, did Rainer's patch work for you on Windows? Looks like it hasn't 
been pushed into trunk yet, so I'll apply it today and will be proposing 
for backport.


--Jacob

Re: The drive for 2.4.26

2017-05-22 Thread Jacob Champion 

On 04/20/2017 01:06 PM, Gregg Smith wrote:

This is ApacheBench, Version 2.3 <$Revision: 1750960 $>
Same result with trunk, it just hangs.

Glad it's not just Windows!


Gregg, did Rainer's patch work for you on Windows? Looks like it hasn't 
been pushed into trunk yet, so I'll apply it today and will be proposing 
for backport.


--Jacob

Re: Change from ad-hoc/historical security process to ASF process?

2017-05-22 Thread Eric Covener 
On Mon, May 22, 2017 at 10:58 AM, Eric Covener  wrote:
> Last chance for anyone else to speak up.

Not really "last", but before this thread is lost forever to everyones
mail archives.

-- 
Eric Covener
cove...@gmail.com

Re: Change from ad-hoc/historical security process to ASF process?

2017-05-22 Thread Eric Covener 
On Sat, May 6, 2017 at 9:17 PM, William A Rowe Jr  wrote:
> On May 5, 2017 13:32, "Jim Jagielski"  wrote:
>
> +1... Lets do it.
>
> BTW, I would adjust #16 to include:
>
>Add the CVE to the CHANGES file.
>
> That way, it's still documented in CHANGES, just after the release
> is spun out, show it shows up in the next release's CHANGES.
>
>
> ... And if we follow through, the copy on httpd.a.o/dist/httpd/ (both 2.x
> and 2.x.y files) can be the annotated flavors.  +1 from me.

Last chance for anyone else to speak up.

Re: The drive for 2.4.26

2017-05-22 Thread Jim Jagielski 
I think we are *really* close! What say we try for a T
sometime this week?

Who wants to RM? If no one does, I will.

Re: Ideas from ApacheCon

2017-05-22 Thread Jim Jagielski 
I'll let Jim Riggs answer that...it came up during his mod_cache
talk.
> On May 18, 2017, at 2:25 PM, Eric Covener  wrote:
> 
> On Thu, May 18, 2017 at 2:22 PM, Rainer Jung  wrote:
>>>  o Look into AAA and mod_cache; eg: "bolt in at the end"
> 
> Does that differ from "CacheQuickHandler OFF"?
> 
> 
> 
> -- 
> Eric Covener
> cove...@gmail.com

in case someone missed this

2017-05-22 Thread Stefan Eissing 
The OCSP weaknesses in our server as experienced during the LetsEncrypt server 
outage:
https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html