Re: Knocking items off the plate, one by one
http://archives.apache.org/dist/httpd is always out there ;-) Not strictly a dev subject, but: Speaking of archives, I noticed there are no pre-1.3 sources there. For a real archive, it'd be nice to have them there. I have placed Apache httpd 1.1.1 and 1.1.3 on http://sanguis.xs4all.nl/apache/ and I'm sure there are people here who have other old (pre-1.3) stuff too. Joost
Re: Knocking items off the plate, one by one
Joost de Heer wrote: http://archives.apache.org/dist/httpd is always out there ;-) Not strictly a dev subject, but: Speaking of archives, I noticed there are no pre-1.3 sources there. For a real archive, it'd be nice to have them there. Okay, I just noticed that there are a few 1.2 sources in the 'beta' subdirectory Joost
Knocking items off the plate, one by one
Before Dublin, I'd like to scratch several of my own itches to start with something of a 'blank page' and moving forward with new stuff, rather than our usual rehashes @ the hackathon. Numero Uno is to permanantly remove apache 1.3.x from our live http://www.apache.org/dist/httpd/binaries/win32/ site, I have no interest in rolling 1.3.36 since it solves no apparent problems that 1.3.34 had, but moreso, httpd 2.0 is well over four years old. http://archives.apache.org/dist/httpd is always out there ;-) I simply have no reason to roll 1.3.x binaries as there is no sane reason for them to continue to be used on Windows. (As I've said before, on Unix I'm entirely neutral.) Please vote; [ ] Jettison apache/win 1.3 binaries to a footnote of history in archives [ ] Beg of Bill, One more Round! of 1.3.36 for old times sake [ ] Keep them available from www even if they are never updated again [ ] I'm insane, I'll take over rolling 1.3, fill me in on the procedure Bill? If jettisoned, I'll simply remove any 1.3 language from the page. There is already a note Looking for older binaries? Please don't which goes on to point out where they live for the sadists. That should cover it. Any other thoughts? Second verse, same as the first, we have some _old_ directories lingering in httpd/binaries/..., I will kill these today once I know for a fact they are mirrored already on archives.apache.org (I thought we had killed these before.) Third verse (sing along!) our web site reports Fixed in Apache httpd 1.3.32 moderate: mod_proxy buffer overflow CVE-2004-0492 Fixed in Apache httpd 2.0.55 moderate: HTTP Request Spoofing CVE-2005-2088 Each of these is out of the control of the operator once they enable common features, as opposed to other more recent, very specific flaws that need specific configuration, unusual use cases or local web administration access to trigger or reproduce. (Who uses IMAP lol?) So the final vote that we need to have a concensus on is; [ ] Remove all pre 2.0.55/pre 1.3.32 binaries from www.a.o (to archive.a.o) [ ] Leave the last unmaintained 2.0.x in whatever state it's in [ ] Leave the last unmaintained 1.3.x and 2.0.x in whatever state they are in Votes/comments please? Thanks, Bill
Re: Knocking items off the plate, one by one
On Fri, Jun 09, 2006 at 01:02:23PM -0500, William A. Rowe, Jr. wrote: From the peanut gallery [X] Jettison apache/win 1.3 binaries to a footnote of history in archives I'd even go as far as removing all of them or if _really_ wanting to keep one, then keep the latest around but be ready to remove that if any security problems are discovered in the future. [ ] Remove all pre 2.0.55/pre 1.3.32 binaries from www.a.o (to archive.a.o) [ ] Leave the last unmaintained 2.0.x in whatever state it's in [ ] Leave the last unmaintained 1.3.x and 2.0.x in whatever state they are in [X] As above - keep the latest as long as it is good, but be ready to remove it. I don't really see much reason for having 2.0.x bins at all, but keeping old ones around is just asking for trouble imho. Sure, if someone wants to roll bins from 2.0, then no problem - but keeping an archive of old versions is just like giving people enough rope... vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: Knocking items off the plate, one by one
On 06/09/2006 08:02 PM, William A. Rowe, Jr. wrote: I'm entirely neutral.) Please vote; [X] Jettison apache/win 1.3 binaries to a footnote of history in archives [ ] Beg of Bill, One more Round! of 1.3.36 for old times sake [ ] Keep them available from www even if they are never updated again [ ] I'm insane, I'll take over rolling 1.3, fill me in on the procedure Bill? So the final vote that we need to have a concensus on is; [X] Remove all pre 2.0.55/pre 1.3.32 binaries from www.a.o (to archive.a.o) [ ] Leave the last unmaintained 2.0.x in whatever state it's in [ ] Leave the last unmaintained 1.3.x and 2.0.x in whatever state they are in Votes/comments please? Please find my X'es above. Regards RĂ¼diger
Re: Knocking items off the plate, one by one
On Jun 9, 2006, at 12:57 PM, Mads Toftum wrote: I don't really see much reason for having 2.0.x bins at all, but keeping old ones around is just asking for trouble imho. Here's a scenario: I have mod_x, compiled against Apache HTTP Server version y. The maker of mod_x are bitches and do not keep up with Apache development, so when the MMN change, the module breaks. They say mod_x is supported with Apache 2.0.y. Go get Apache 2.0.y if you want to use mod_x. Sorry, we cannot support versions of Apache later than 2.0.y. Don't even think about mentioning Apache 2.2. Now give us all your money. It would be a great thing if I could download a binary of Apache HTTP Server version y to drop mod_x into, especially on platforms that do not come with a C compiler (cough Win32 cough). This would make life considerably easier if I had to quickly integrate mod_x, or if I had to replicate my customer's deployment environment down to the xes and ys. In fact, this very scenario happened to me with Tomcat where I ran into some very finnicky version dependencies. Now we, in httpd land, don't habitually rewrite our entire project between dot versions, but it might be a good idea to make available a binary for the last released version before a major MMN bump. Disk is (fairly) cheap after all. What trouble? Do we ever make any claims about our software beyond if it breaks, you get to keep the pieces? Source or otherwise? S. -- [EMAIL PROTECTED]http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: Knocking items off the plate, one by one
Sander Temme wrote: On Jun 9, 2006, at 12:57 PM, Mads Toftum wrote: I don't really see much reason for having 2.0.x bins at all, but keeping old ones around is just asking for trouble imho. What trouble? Do we ever make any claims about our software beyond if it breaks, you get to keep the pieces? Source or otherwise? Well, although I agree with Sander's assessment as far back as 2.0, I'm not really fond of the argument to hang on to win32 1.3 specifically. Unix? If one is packaged and doesn't have a vulnerability, sure. Just make sure it's not the first choice displayed for the user to pick from, shown anywhere. And no, we don't warrentee the software. But someone has to go through and close worthless bug reports, triage #apache irc traffic, triage [EMAIL PROTECTED] traffic. Not saying this is you - or me even. In fact that's why I asked, because I figure the people who are kind enough to even both doing these tasks are the ones to decide how long a stale source or binary package aught to be hanging around. As far as -this- list is concerned, I hope we are mostly excited for 2.e.x stable and 2.o.x alpha and beta offerings that we are actually trying to improve :) Anyone dwelling heavily in improving 1.3 or 2.0 is really saying to the list, here's my pocket veto of what you did in the current trunk. Anyone dwelling on fixing 1.3 or 2.0 - just to keep it working, well I think most of them fall in Sander's camp - alot of folks must have some server that is running mod_slowvendor, and they can't yet make a move, or worse, they don't have internal engineering resources to move mod_ourfoo which some dev long gone customized at the company. So nothing against fixing bugs or keeping a 2.0 around at least as long as it takes us to make 2.4 happen, here. I'm partial to making 1.3 win32 binaries go away, and I'm partial to making any inherently insecure binary go away. Beyond that shrug/. Bill