osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NOTICE: Intent to T&R 2.4.35 in the next few hours


On Fri, Sep 21, 2018 at 12:31 PM Dennis Clarke <dclarke@xxxxxxxxxxxxx> wrote:

Then this paragraph bugs me :

     This release requires the Apache Portable Runtime (APR), minimum
     version 1.5.x, and APR-Util, minimum version 1.5.x. Some features
     may require the 1.6.x version of both APR and APR-Util. The APR
     libraries must be upgraded for all features of httpd to operate
     correctly.

To me Apache httpd is the big dog of web services platforms in the open
world and so I have to wonder what features go missing and what features
get enabled with the latest and greatest apr and apr-util bits. Feels
like yet another text link notes.txt or similar. Worse, that means an
actual test build and check of httpd with older apr bits. How horrific
would it be to merely change the language of that paragraph and draw a
line in the sand thus :


     This release requires the Apache Portable Runtime (APR) and also
     the Apache Portable Runtime Utility. The APR libraries must be
     upgraded for all features of httpd to operate correctly.

Not "features". The original APR 1.4.x packages, corresponding to the
early httpd 2.4.x releases have known vulnerabilities to mitigate, which
read on an httpd build's behavior. I believe "correctly" is not a sufficient
caution.

I agree with you, that specific features in httpd docs should spell out
if an upgraded (post-1.4) flavor of apr[-util] is required for that feature.