@Yehuda Katz: what do you think of my e-mail/comment below?

------- Original Message -------
On Tuesday, March 1st, 2022 at 8:11 PM, Jeroen Verhoeckx 
<j.verhoe...@protonmail.com> wrote:

>> Please keep your replies on the mailing list so that everyone can benefit 
>> from the discussion.
>
> Oh, sorry, I probably click on Reply and not Reply All! Will keep an eye on 
> that in the future!
>
> I'm worried that the version of Apache released by The Apache Software 
> Foundation is less safe because of the warnings [on this page of Red 
> Hat](https://access.redhat.com/solutions/445713):
> https://access.redhat.com/solutions/445713
>
> "Note that the versions of Apache HTTP Server included in the above products 
> are in most cases vastly different from the upstream community releases of 
> the same version
> This is explained by Red Hat's Security Backporting Policy and is the most 
> common cause of admins/auditors trying to get a newer version of Apache
> For example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream 
> v2.2.26; however, they also include multiple CVE security fixes which are not 
> in the original community release of Apache httpd 2.2.266
> Community releases of Apache httpd are NOT supported"
>
> What do you think of this?
>
> - Jeroen
>
> --------------------------------------------------------
> Support the independent web, use 
> [Firefox](https://www.mozilla.org/en-US/firefox/new/)

> ------- Original Message -------
> On Tuesday, March 1st, 2022 at 5:27 PM, Yehuda Katz <yeh...@ymkatz.net> wrote:
>
>> Please keep your replies on the mailing list so that everyone can benefit 
>> from the discussion.
>>
>> What is your "threat model" in which this way is less safe?
>>
>> For example: Are you worried that the packaged version from someone else has 
>> been modified with a backdoor? Are you worried that you would not be able to 
>> get RPMs for new versions in a timely fashion when a security issue is 
>> announced?
>>
>> There are different ways to address different concerns, but if you are more 
>> specific, we can make sure you get the best answer.
>>
>> - Y
>>
>> Sent from a device with a very small keyboard and hyperactive autocorrect.
>>
>> On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx <j.verhoe...@protonmail.com> 
>> wrote:
>>
>>>> Since you don't have paid support from RedHat, there is absolutely no 
>>>> reason to not install your own version of httpd.
>>>
>>> I don't mind doing that but I'm afraid it's less safe?
>>>
>>> Thanks for thinking along!
>>>
>>> Jeroen Verhoeckx
>>>
>>> --------------------------------------------------------
>>> Support the independent web, use 
>>> [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>>
>>> ------- Original Message -------
>>> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz 
>>> <yeh...@ymkatz.net> wrote:
>>>
>>>> In terms of getting a RedHat eningeer, it looks like you have done all you 
>>>> can do. There are RedHat developers on this list and on the RedHat forums 
>>>> and they also look at Bugzilla, so there probably isn't much more you can 
>>>> do.
>>>>
>>>> Since you don't have paid support from RedHat, there is absolutely no 
>>>> reason to not install your own version of httpd.
>>>>
>>>> - Y
>>>>
>>>> On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx 
>>>> <j.verhoe...@protonmail.com> wrote:
>>>>
>>>>> Hello Yehuda,
>>>>>
>>>>> First: sorry for my very late reply!
>>>>>
>>>>>> You mention in the bug report that you are running an old version of 
>>>>>> HTTPD because you are using the version packaged by RedHat.
>>>>>> Your bug report asks RedHat to backport the specific fixes for your 
>>>>>> issue.
>>>>>
>>>>> Yes, that's a really good summary of what I try to achieve!
>>>>>
>>>>> About the two options:
>>>>>
>>>>> - I have the 'Red Hat Developer Subscription for Individuals' and thus 
>>>>> I'm not entitled to get any official support.
>>>>> - Red Hat strongly discourages the installation of a different version of 
>>>>> Apache  (https://access.redhat.com/solutions/445713) .
>>>>>
>>>>> I asked the same question on Red Hat Community portal 
>>>>> (https://access.redhat.com/discussions/6756211) but so far I didn't get 
>>>>> any reaction.
>>>>>
>>>>> Does someone know where the Apache developers of Red Hat hang out?
>>>>>
>>>>> Jeroen Verhoeckx
>>>>>
>>>>> --------------------------------------------------------
>>>>> Support the independent web, use 
>>>>> [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>>>>
>>>>> ------- Original Message -------
>>>>> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz 
>>>>> <yeh...@ymkatz.net> wrote:
>>>>>
>>>>>> I see two options for you going forward:
>>>>>> 1. Contacting RedHat: You need a subscription to do this. Posting to the 
>>>>>> upstream HTTPD mailing list probably won't help.
>>>>>>
>>>>>> 2. Use a different package: There are newer rpms available if you don't 
>>>>>> want to build your own. You can look at rpmfind or build the rpm 
>>>>>> yourself (https://httpd.apache.org/docs/2.4/platform/rpm.html)
>>>>>>
>>>>>> - Y
>>>>>>
>>>>>> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx 
>>>>>> <j.verhoe...@protonmail.com.invalid> wrote:
>>>>>>
>>>>>>> Hello Apache Administrators,
>>>>>>>
>>>>>>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, 
>>>>>>> but no one has responded since then.
>>>>>>>
>>>>>>> It's about this bug report:
>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>>>>>>
>>>>>>> Does someone have an idea about what I could do next?
>>>>>>> Does someone know I place where I can contact RHEL Apache 
>>>>>>> developers/administrators?
>>>>>>> Or is there another friendly way to get attention for this bug report?
>>>>>>>
>>>>>>> Yours sincerely,
>>>>>>>
>>>>>>> Jeroen Verhoeckx
>>>>>>>
>>>>>>> --------------------------------------------------------
>>>>>>> Support the independent web, use 
>>>>>>> [Firefox](https://www.mozilla.org/en-US/firefox/new/)

Reply via email to