Re: T of 2.4.24
> On Dec 23, 2016, at 2:32 AM, William A Rowe Jrwrote: > > > I hope you sort this out in your ombudsman role, because this is the > test of whether you understand ASF responsibilities, both legally, > and in the sense of our entire ecosystem, and the will of your specific > project who had a very firm position, before you undermined it. > > Cheers, and a Merry Christmas! Bill, puhlease. Stick and carrot? Really? Anyway, this seems appropriate: " 'Saruman, Saruman!' said Gandalf, still laughing. 'Saruman, you missed your path in life. You should have been the king's jester and earned your bread, and stripes too, by mimicking his counsellors. Ah me!' he paused, getting the better of his mirth. 'Understand one another? I fear I am beyond your comprehension. But you, Saruman, I understand now too well. I keep a clearer memory of your arguments, and deeds, than you suppose. When last I visited you, you were the jailor of Mordor, and there I was to be sent. Nay, the guest who escaped from the roof, will think twice before he comes back in by the door.' " I will give your comments the weight they deserve.
Re: T of 2.4.24
On Fri, Dec 9, 2016 at 8:03 AM, Jim Jagielskiwrote: > > > On Dec 9, 2016, at 12:20 AM, William A Rowe Jr > wrote: > > > > On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr > wrote: > > > > @VP Legal, is this worth an escalation? You didn't see fit to respond > today, > > but I think this falls under the purview of your committee, w.r.t. > unapproved > > release artifacts living at www.apache.org/dist/. Did you have any > thoughts > > or opinions one way or another? > > How is this different from, say, the win32 src zips or the > complimentary binary builds? That's an interesting question, or questions... For starters, source aren't binaries, but of course you knew that, as our esteemed VP, Legal. When ASF projects convey binaries, they convey them (purportedly) based on the current jars/wars of the dependencies (are there other dependent projects? SVN doesn't ship binaries, and I have no clue what OpenOffice does. Other non-java examples are few and far between.) These are fetched up fresh from maven or whatnot, and don't have a lot of bearing on how non-java projects do things. AIUI, those jars don't even supplant what is already provisioned, if those are more current, unless the manifest demands an old rev. The prior win32 src (before I committed that to branch, not trunk, and didn't worry our silly heads about crlf after I wrote the apr fix script) didn't include extra artifacts, unless you count apr-iconv. And I have deep reservations about that call, if you've seen my comments about what citrus might bring us and lack of maintaining that BSD iconv fork. Thanks for the redaction on the 2.4.25-deps artifact. Frankly, I would not have helped you push that out the door without that one concession. And mad props to JChapmion for pushing the announce, since I didn't have ASF smtp at the ready. So as always, it was an effort of many. Fundamental issue with pushing -deps of, say, APR 1.5.2, is that the following week is that 1.5.3 with bug fixes is released. Is the httpd project responsible for updating -deps? Or f' ya all, download this package... it won't hurt you... hopefully? Believe me, I went through all that as an httpd win32 binary distributor who bundled openssl, so I know this specific pain-point, and sense of responsibility, and did have to ship new interim binaries when bad things were disclosed. I hope you sort this out in your ombudsman role, because this is the test of whether you understand ASF responsibilities, both legally, and in the sense of our entire ecosystem, and the will of your specific project who had a very firm position, before you undermined it. Cheers, and a Merry Christmas! Bill
Re: T of 2.4.24
On Fri, Dec 9, 2016 at 1:44 AM, Yann Ylavicwrote: > On Thu, Dec 8, 2016 at 7:16 PM, William A Rowe Jr > wrote: > > > > It does raise the question again of whether the httpd project can > distribute > > a source code package on www.apache.org/dist/httpd/ which is not voted > > on by the project, and whether it violates the spirit of the pmc > consensus > > to no longer be the distributor of dependencies which frequently fall > into > > a poorly maintained/updated state. > > Current httpd-2.4.23-deps.tar.*/srclib seem to contain APR(-util) > only, no expat or PCRE, wasn't this decision taken already? > The decision in Nov 2008 to drop pcre was followed, that was not in any -deps 'not-a-release' tarball. Expat was more deeply embedded; httpd-2.4.23/srclib/apr-util/xml/expat/ > httpd-2.2.32.tar.*/srclib contain PCRE 5.0 (according to Changelog), > no expat, but it looks off topic for this T > Yup, I'm working on language that would accompany httpd-2.2.32.tar.gz that the distribution includes ancient, bundled legacy binary-compatible pcre and expat, and that users are strongly cautioned to provision pcre, expat and the most current versions of apr and apr-util themselves from the respective projects or their OS distribution.
Re: T of 2.4.24
On Thu, Dec 15, 2016 at 10:52 PM, Yann Ylavicwrote: > On Thu, Dec 15, 2016 at 10:34 PM, Jim Jagielski wrote: >> Done and done. > > Will voted it I meant "will vote" in this typo, not veto ;) Maybe Eric with an easy reproducer could confirm, but unless poll() consistently return EINTR I don't see how his issue can happen on 2.4.24 (after 100ms from the signal to stop/restart).
Re: T of 2.4.24
On Thu, Dec 15, 2016 at 10:34 PM, Jim Jagielskiwrote: > Done and done. Will voted it, but I don't think it's necessary for 2.4.24 (not harmful though, possibly useless). > >> On Dec 15, 2016, at 4:30 PM, Jim Jagielski wrote: >> >> Actually, it is: >> >>https://svn.apache.org/viewvc?view=revision=1772334 The wakeup changes mentioned by Eric are in r1762718 and follow ups, not backported yet. In 2.4.24 we won't block indefinitely in poll() in any case, hence the keepalive cleanup should always be called on restart/shutdown anyway (every TIMEOUT_FUDGE_FACTOR).
Re: T of 2.4.24
I'll give it until tomorrow AM... If we have the 3, it'll be folded in. If not, I'm not going to delay. > On Dec 15, 2016, at 4:34 PM, Jim Jagielskiwrote: > > Done and done. > >> On Dec 15, 2016, at 4:30 PM, Jim Jagielski wrote: >> >> Actually, it is: >> >> https://svn.apache.org/viewvc?view=revision=1772334 >> >> So I would like to see the enhancement in: >> >> >> https://lists.apache.org/thread.html/03a360e5214052b38752d10a75f864e59d518cd6ac8ddbbcefe91c18@%3Cdev.httpd.apache.org%3E >> >> applied to trunk and then proposed for backport. >> >>> On Dec 15, 2016, at 2:55 PM, Eric Covener wrote: >>> >>> On Thu, Dec 15, 2016 at 2:09 PM, Eric Covener wrote: On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener wrote: > On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski wrote: >> From what I can see, there are no show-stoppers and >> all my tests show no regressions... >> >> Let's shoot for a T this (east coast) evening... how does >> that sound? > > > +1 & thanks Sorry to be a buzzkill but I just replied to an April commit related to PR53555 that I'd like some of the resident big brains to consider as it will be new. But I guess it can be done in parallel with the vote since we have been delayed so much and it's got a fair chance to be no worse than 2.4.23. I do not think it is a showstopper but I see a little smoke there that e.g. ylavic or sf may be able to debunk or throw up a bigger flag on. >>> >>> Yann pointed out that the wakeup enhancement is not in 2.4.x so there >>> is no 2.4.x risk here. >>> >>> -- >>> Eric Covener >>> cove...@gmail.com >> >
Re: T of 2.4.24
Done and done. > On Dec 15, 2016, at 4:30 PM, Jim Jagielskiwrote: > > Actually, it is: > >https://svn.apache.org/viewvc?view=revision=1772334 > > So I would like to see the enhancement in: > > > https://lists.apache.org/thread.html/03a360e5214052b38752d10a75f864e59d518cd6ac8ddbbcefe91c18@%3Cdev.httpd.apache.org%3E > > applied to trunk and then proposed for backport. > >> On Dec 15, 2016, at 2:55 PM, Eric Covener wrote: >> >> On Thu, Dec 15, 2016 at 2:09 PM, Eric Covener wrote: >>> On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener wrote: On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski wrote: > From what I can see, there are no show-stoppers and > all my tests show no regressions... > > Let's shoot for a T this (east coast) evening... how does > that sound? +1 & thanks >>> >>> Sorry to be a buzzkill but I just replied to an April commit related >>> to PR53555 that I'd like some of the resident big brains to consider >>> as it will be new. >>> >>> But I guess it can be done in parallel with the vote since we have >>> been delayed so much and it's got a fair chance to be no worse than >>> 2.4.23. >>> >>> I do not think it is a showstopper but I see a little smoke there that >>> e.g. ylavic or sf may be able to debunk or throw up a bigger flag on. >>> >> >> Yann pointed out that the wakeup enhancement is not in 2.4.x so there >> is no 2.4.x risk here. >> >> -- >> Eric Covener >> cove...@gmail.com >
Re: T of 2.4.24
Actually, it is: https://svn.apache.org/viewvc?view=revision=1772334 So I would like to see the enhancement in: https://lists.apache.org/thread.html/03a360e5214052b38752d10a75f864e59d518cd6ac8ddbbcefe91c18@%3Cdev.httpd.apache.org%3E applied to trunk and then proposed for backport. > On Dec 15, 2016, at 2:55 PM, Eric Covenerwrote: > > On Thu, Dec 15, 2016 at 2:09 PM, Eric Covener wrote: >> On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener wrote: >>> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski wrote: From what I can see, there are no show-stoppers and all my tests show no regressions... Let's shoot for a T this (east coast) evening... how does that sound? >>> >>> >>> +1 & thanks >> >> Sorry to be a buzzkill but I just replied to an April commit related >> to PR53555 that I'd like some of the resident big brains to consider >> as it will be new. >> >> But I guess it can be done in parallel with the vote since we have >> been delayed so much and it's got a fair chance to be no worse than >> 2.4.23. >> >> I do not think it is a showstopper but I see a little smoke there that >> e.g. ylavic or sf may be able to debunk or throw up a bigger flag on. >> > > Yann pointed out that the wakeup enhancement is not in 2.4.x so there > is no 2.4.x risk here. > > -- > Eric Covener > cove...@gmail.com
Re: T of 2.4.24
On Thu, Dec 15, 2016 at 2:09 PM, Eric Covenerwrote: > On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener wrote: >> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski wrote: >>> From what I can see, there are no show-stoppers and >>> all my tests show no regressions... >>> >>> Let's shoot for a T this (east coast) evening... how does >>> that sound? >> >> >> +1 & thanks > > Sorry to be a buzzkill but I just replied to an April commit related > to PR53555 that I'd like some of the resident big brains to consider > as it will be new. > > But I guess it can be done in parallel with the vote since we have > been delayed so much and it's got a fair chance to be no worse than > 2.4.23. > > I do not think it is a showstopper but I see a little smoke there that > e.g. ylavic or sf may be able to debunk or throw up a bigger flag on. > Yann pointed out that the wakeup enhancement is not in 2.4.x so there is no 2.4.x risk here. -- Eric Covener cove...@gmail.com
Re: T of 2.4.24
On 12/15/2016 08:09 PM, Eric Covener wrote: > On Thu, Dec 15, 2016 at 10:16 AM, Eric Covenerwrote: >> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski wrote: >>> From what I can see, there are no show-stoppers and >>> all my tests show no regressions... >>> >>> Let's shoot for a T this (east coast) evening... how does >>> that sound? >> >> >> +1 & thanks +1 and many thanks from me as well. > > Sorry to be a buzzkill but I just replied to an April commit related > to PR53555 that I'd like some of the resident big brains to consider > as it will be new. Shame on you for being a buzzkill :-). No seriously, thanks for giving a heads up here. Regards Rüdiger
Re: T of 2.4.24
On Thu, Dec 15, 2016 at 10:16 AM, Eric Covenerwrote: > On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski wrote: >> From what I can see, there are no show-stoppers and >> all my tests show no regressions... >> >> Let's shoot for a T this (east coast) evening... how does >> that sound? > > > +1 & thanks Sorry to be a buzzkill but I just replied to an April commit related to PR53555 that I'd like some of the resident big brains to consider as it will be new. But I guess it can be done in parallel with the vote since we have been delayed so much and it's got a fair chance to be no worse than 2.4.23. I do not think it is a showstopper but I see a little smoke there that e.g. ylavic or sf may be able to debunk or throw up a bigger flag on. -- Eric Covener cove...@gmail.com
Re: T of 2.4.24
+1 and *many* thanks! > Am 15.12.2016 um 16:13 schrieb Jim Jagielski <j...@jagunet.com>: > > From what I can see, there are no show-stoppers and > all my tests show no regressions... > > Let's shoot for a T this (east coast) evening... how does > that sound? > >> On Dec 14, 2016, at 7:56 AM, Jim Jagielski <j...@jagunet.com> wrote: >> >> Looking at a T of 2.4.24 either the 15th or 16th... > Stefan Eissing bytes GmbH Hafenstrasse 16 48155 Münster www.greenbytes.de
Re: T of 2.4.24
On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielskiwrote: > From what I can see, there are no show-stoppers and > all my tests show no regressions... > > Let's shoot for a T this (east coast) evening... how does > that sound? +1 & thanks -- Eric Covener cove...@gmail.com
Re: T of 2.4.24
From what I can see, there are no show-stoppers and all my tests show no regressions... Let's shoot for a T this (east coast) evening... how does that sound? > On Dec 14, 2016, at 7:56 AM, Jim Jagielski <j...@jagunet.com> wrote: > > Looking at a T of 2.4.24 either the 15th or 16th...
Re: T of 2.4.24
Looking at a T of 2.4.24 either the 15th or 16th...
Re: T of 2.4.24
On Dec 12, 2016 7:44 PM, "Daniel Ruggeri"wrote: On 12/12/2016 12:26 AM, William A Rowe Jr wrote: > In spite of 34 registered project committee members, until other > contributors come forward to participate in the security patch review > process, we may simply have to declare all further efforts are currently > on pause. Does one have to be on PMC to review security patches? If not, can you give me a general idea on volume? This would be something I think $dayjob would be OK with me doing as part of keeping a shirt on my back and roof over the childrens' heads ;-) This is something our httpd security team has revisited a few times over the past few years. To be on *httpd* security list, we require a certain level of trust. In the past, this was based on PMC membership. We have since tweaked things to bring in proven committers who are not yet on the PMC. Also, all ASF Members have access to private archived lists; this includes any PMC private lists and security lists across the foundation. In terms of volume, there are only a handful of security issues per year, from none to a dozen, but many dozens of reports we have to evaluate and filter. It often takes probing questions of the reporter to distinguish their defect report from a vulnerablity, or to quantify and qualify the exposure and risk. The ASF-wide list is another beast, it is a massive spam trap, exceeding dozens of garbage messages per day, to capture about a dozen legitimate messages a day, and only a tiny handful of new inbound messages a day that are dispatched to the appropriate PMC's team. That list does require ASF Membership to volunteer because it has full visibility into most every defect.
Re: T of 2.4.24
On Mon, Dec 12, 2016 at 8:43 PM, Daniel Ruggeriwrote: > > On 12/12/2016 12:26 AM, William A Rowe Jr wrote: >> In spite of 34 registered project committee members, until other >> contributors come forward to participate in the security patch review >> process, we may simply have to declare all further efforts are currently >> on pause. > > Does one have to be on PMC to review security patches? If not, can you > give me a general idea on volume? This would be something I think > $dayjob would be OK with me doing as part of keeping a shirt on my back > and roof over the childrens' heads ;-) Not necessary. Go ahead and subscribe to secur...@httpd.apache.org and someone should approve. -- Eric Covener cove...@gmail.com
Re: T of 2.4.24
On 12/12/2016 12:26 AM, William A Rowe Jr wrote: > In spite of 34 registered project committee members, until other > contributors come forward to participate in the security patch review > process, we may simply have to declare all further efforts are currently > on pause. Does one have to be on PMC to review security patches? If not, can you give me a general idea on volume? This would be something I think $dayjob would be OK with me doing as part of keeping a shirt on my back and roof over the childrens' heads ;-) -- Daniel Ruggeri
Re: T of 2.4.24
> On Dec 12, 2016, at 1:26 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <j...@jagunet.com> wrote: > Things are looking good for a T of 2.4.24 sometime late > today. > > If you have any issues or concerns, let me know asap. > > Hi Jim, > > we may have to concede, in light of many already partially disclosed > CVE's, that it is impossible to proceed. > Well, Bill, I'm sorry to say I disagree. I also think that your characterization is wrong, incomplete and unwarranted. See, the thing about releasing 2.4.24 is that it implies that at some time, we can also release a 2.4.25.
Re: T of 2.4.24
On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <j...@jagunet.com> wrote: > Things are looking good for a T of 2.4.24 sometime late > today. > > If you have any issues or concerns, let me know asap. > Hi Jim, we may have to concede, in light of many already partially disclosed CVE's, that it is impossible to proceed. At this moment, there are 5 committers who have invested time and energy at looking at the current open issues. Of the stale issues, 2 refuse to fix the reported issued directly, while 3 others have lingering patches that would fix the core defects. There is a straightforward solution to solving such issues, but the quick-fix has issues of its own. Only three votes are required to incorporate the fix, but in the face of an objection, four are required to overrule a hold-out (assuming it is even the right solution.) Five is simply too small a number to sustain a security team at any project of this complexity. That isn't pointing fingers at any person whatsoever, it's an assessment of the situation. In spite of 34 registered project committee members, until other contributors come forward to participate in the security patch review process, we may simply have to declare all further efforts are currently on pause. Sincerely, thanks for trying to push this release forward. I hope this is all resolved quickly.
Re: T of 2.4.24
> On Dec 9, 2016, at 12:20 AM, William A Rowe Jrwrote: > > On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr > wrote: > > @VP Legal, is this worth an escalation? You didn't see fit to respond today, > but I think this falls under the purview of your committee, w.r.t. unapproved > release artifacts living at www.apache.org/dist/. Did you have any thoughts > or opinions one way or another? How is this different from, say, the win32 src zips or the complimentary binary builds?
Re: T of 2.4.24
On Thu, Dec 8, 2016 at 7:16 PM, William A Rowe Jrwrote: > > It does raise the question again of whether the httpd project can distribute > a source code package on www.apache.org/dist/httpd/ which is not voted > on by the project, and whether it violates the spirit of the pmc consensus > to no longer be the distributor of dependencies which frequently fall into > a poorly maintained/updated state. Current httpd-2.4.23-deps.tar.*/srclib seem to contain APR(-util) only, no expat or PCRE, wasn't this decision taken already? httpd-2.2.32.tar.*/srclib contain PCRE 5.0 (according to Changelog), no expat, but it looks off topic for this T Am I missing something?
Re: T of 2.4.24
On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jrwrote: > On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski wrote: > >> AFAICT there is no consensus. But is this really a blocker? > > > I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant > vulnerability > fixes (everyone seems very enamored with fuzz generators this past few > years.) > > It doesn't block creation of httpd-2.4.24.tar.gz, obviously. > > It does raise the question again of whether the httpd project can > distribute > a source code package on www.apache.org/dist/httpd/ which is not voted > on by the project, and whether it violates the spirit of the pmc consensus > to no longer be the distributor of dependencies which frequently fall into > a poorly maintained/updated state. > @VP Legal, is this worth an escalation? You didn't see fit to respond today, but I think this falls under the purview of your committee, w.r.t. unapproved release artifacts living at www.apache.org/dist/. Did you have any thoughts or opinions one way or another?
Re: T of 2.4.24
Scratch that... Instead, I plan on doing it on Monday, to provide some additional time for some things to get locked down and resolved. My apologies for those waiting for 2.4.24... > On Dec 8, 2016, at 9:55 AM, Jim Jagielski <j...@jagunet.com> wrote: > > Things are looking good for a T of 2.4.24 sometime late > today. > > If you have any issues or concerns, let me know asap.
Re: T of 2.4.24
On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski <j...@jagunet.com> wrote: > AFAICT there is no consensus. But is this really a blocker? I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant vulnerability fixes (everyone seems very enamored with fuzz generators this past few years.) It doesn't block creation of httpd-2.4.24.tar.gz, obviously. It does raise the question again of whether the httpd project can distribute a source code package on www.apache.org/dist/httpd/ which is not voted on by the project, and whether it violates the spirit of the pmc consensus to no longer be the distributor of dependencies which frequently fall into a poorly maintained/updated state. So it's simply a question about the -deps package, and since that is never given a release vote, it really isn't holding up any tag & roll. > > On Dec 8, 2016, at 12:38 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > > On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <j...@jagunet.com> wrote: > > Things are looking good for a T of 2.4.24 sometime late > > today. > > > > If you have any issues or concerns, let me know asap. > > > > Do we have any consensus on dropping the stale and vulnerable > > expat or pcre packages from the pretending-not-to-be-released > > -deps artifact in the www.a.o/dist/httpd/ releases tree? > > > > > > > >
Re: T of 2.4.24
AFAICT there is no consensus. But is this really a blocker? > On Dec 8, 2016, at 12:38 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <j...@jagunet.com> wrote: > Things are looking good for a T of 2.4.24 sometime late > today. > > If you have any issues or concerns, let me know asap. > > Do we have any consensus on dropping the stale and vulnerable > expat or pcre packages from the pretending-not-to-be-released > -deps artifact in the www.a.o/dist/httpd/ releases tree? > > >
Re: T of 2.4.24
On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <j...@jagunet.com> wrote: > Things are looking good for a T of 2.4.24 sometime late > today. > > If you have any issues or concerns, let me know asap. > Do we have any consensus on dropping the stale and vulnerable expat or pcre packages from the pretending-not-to-be-released -deps artifact in the www.a.o/dist/httpd/ releases tree?
T of 2.4.24
Things are looking good for a T of 2.4.24 sometime late today. If you have any issues or concerns, let me know asap.