release?

["stefan@eissing.org" <st...@eissing.org>]

In what state is our release handling? Given someone holding my hand, could I do it? Or is it better to look someone over the shoulder while he does it?

Cheers,
Stefan

Re: release?

[Graham Leggett <mi...@sharp.fm>]

On 30 Aug 2021, at 12:35, stefan@eissing.org wrote:

> In what state is our release handling? Given someone holding my hand, could I do it? Or is it better to look someone over the shoulder while he does it?

When I did it in the past, I walked through the commit emails of previous releases, and performed the same steps.

Regards,
Graham
—

Re: APR 1.7.1 release?

[Noel Butler <no...@ausics.net>]

On 31/08/2021 18:09, Rainer Jung wrote:

> Hi there,
> 
> any chance we find an RM for a APR 1.7.1 release? At least there was 
> the fix for CVE-2021-35940 and CHANGES contains 15 more items (many of 
> them platform specific or build improvements). Last release 1.7.0 was 
> in April 2019.
> 
> For APR-util I don't know the current state and release needs for the 
> 1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 1.7.x 
> has never been released. CHANGES for 1.6.x only contains one 
> apr_dbm_gdbm fix plus a minor libtool use improvement.
> 
> Apache httpd is planing to start a release cycle soon and it would be 
> nice to have a clean APR 1.7.1 and maybe APR-util also.
> 
> Thanks and regards,
> 
> Rainer

+1

Alsoo, apr-util needs to be run out as well, I asked about this November 
last year to resolve issues with later mariadb versions that still today 
need manual patch

-- 
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: APR 1.7.1 release?

[Michael Osipov <mi...@apache.org>]

Am 2021-08-31 um 10:09 schrieb Rainer Jung:
> Hi there,
> 
> any chance we find an RM for a APR 1.7.1 release? At least there was the 
> fix for CVE-2021-35940 and CHANGES contains 15 more items (many of them 
> platform specific or build improvements). Last release 1.7.0 was in 
> April 2019.
> 
> For APR-util I don't know the current state and release needs for the 
> 1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 1.7.x 
> has never been released. CHANGES for 1.6.x only contains one 
> apr_dbm_gdbm fix plus a minor libtool use improvement.
> 
> Apache httpd is planing to start a release cycle soon and it would be 
> nice to have a clean APR 1.7.1 and maybe APR-util also.

Oh yes please. I have done a few backports in APR 1.7.x which affect 
Tomcat on Windows as well as the libtool stuff for HP-UX.

;

Re: APR 1.7.1 release?

[William A Rowe Jr <wr...@rowe-clan.net>]

On Fri, Sep 10, 2021 at 3:34 AM Ruediger Pluem <rp...@apache.org> wrote:
>
> On 9/10/21 10:28 AM, Steffen Land wrote:
> > Please be sure that the following two are included in 1.7.1 :
> >
> > PR 63491 regression in 1.7, see https://www.apachelounge.com/viewtopic.php?p=39558
>
> r1882155 brought this already to 1.7.
>
> > PR 61165 CPU deadlock under load, see  https://github.com/SpiderLabs/ModSecurity/issues/2181
>
> Looks like to me that r1860057 is not backported yet to 1.7.

I agree with the fix and will pick this up shortly.

Re: APR 1.7.1 release?

[Ruediger Pluem <rp...@apache.org>]

On 9/10/21 10:28 AM, Steffen Land wrote:
> Please be sure that the following two are included in 1.7.1 :
> 
> PR 63491 regression in 1.7, see https://www.apachelounge.com/viewtopic.php?p=39558

r1882155 brought this already to 1.7.

> PR 61165 CPU deadlock under load, see  https://github.com/SpiderLabs/ModSecurity/issues/2181

Looks like to me that r1860057 is not backported yet to 1.7.

Thanks for the heads up.

Regards

Rüdiger

Re: APR 1.7.1 release?

[Steffen Land <in...@apachelounge.com>]

Please be sure that the following two are included in 1.7.1 :

PR 63491 regression in 1.7, see 
https://www.apachelounge.com/viewtopic.php?p=39558
PR 61165 CPU deadlock under load, see  
https://github.com/SpiderLabs/ModSecurity/issues/2181


Steffen



On Friday 10/09/2021 at 00:00, William A Rowe Jr  wrote:
> Just as a reminder, with the goal to drop 1.7 apr and 1.7 apr-util
> releases in one week,
> please observe the practices in other projects and ask for 2 more sets
> of eyeballs for
> 3 validated +1's on patches before backporting to these trees for the
> next week. TIA!
>
> I've had some success tweaking the abts framework to accomplish some
> win32 fileinfo
> validation of my proposed patch, so I should land that for willing
> reviewers by CoB
> tomorrow. I know we have several associated with the Subversion PMC 
> willing to
> lend a review, but I'll be following the same process with these fixes
> to cure, and
> further solve the apr 1.6.0 original and 1.7.1 release quirks with
> mount symlinks.
>
> Bill
>
> On Thu, Sep 2, 2021 at 8:44 PM William A Rowe Jr <wr...@rowe-clan.net> 
> wrote:
>>
>>
>> I'm willing to RM APR and APR-util 1.7 releases.
>>
>> Would propose we set a date out 2 weeks, anything lingering needs
>> to be finalized with the usual oversight no later than the 8th, and
>> we tag on the 14th, announce on the 15th when the mirrors have
>> caught up. That gives enough days for committers to review the
>> last changes to these release branches.
>>
>> But I'd be happier co-RM'ing this with a newer committer/PMC
>> participant who wants to learn the ropes. Any volunteers?
>> Other thoughts or observations?
>>
>> On Tue, Aug 31, 2021 at 3:09 AM Rainer Jung <ra...@kippdata.de> 
>> wrote:
>>>
>>>
>>> Hi there,
>>>
>>> any chance we find an RM for a APR 1.7.1 release? At least there was 
>>> the
>>> fix for CVE-2021-35940 and CHANGES contains 15 more items (many of 
>>> them
>>> platform specific or build improvements). Last release 1.7.0 was in
>>> April 2019.
>>>
>>> For APR-util I don't know the current state and release needs for the
>>> 1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 
>>> 1.7.x
>>> has never been released. CHANGES for 1.6.x only contains one
>>> apr_dbm_gdbm fix plus a minor libtool use improvement.
>>>
>>> Apache httpd is planing to start a release cycle soon and it would be
>>> nice to have a clean APR 1.7.1 and maybe APR-util also.
>>>
>>> Thanks and regards,
>>>
>>> Rainer

Re: APR 1.7.1 release?

[William A Rowe Jr <wr...@rowe-clan.net>]

Just as a reminder, with the goal to drop 1.7 apr and 1.7 apr-util
releases in one week,
please observe the practices in other projects and ask for 2 more sets
of eyeballs for
3 validated +1's on patches before backporting to these trees for the
next week. TIA!

I've had some success tweaking the abts framework to accomplish some
win32 fileinfo
validation of my proposed patch, so I should land that for willing
reviewers by CoB
tomorrow. I know we have several associated with the Subversion PMC willing to
lend a review, but I'll be following the same process with these fixes
to cure, and
further solve the apr 1.6.0 original and 1.7.1 release quirks with
mount symlinks.

Bill

On Thu, Sep 2, 2021 at 8:44 PM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> I'm willing to RM APR and APR-util 1.7 releases.
>
> Would propose we set a date out 2 weeks, anything lingering needs
> to be finalized with the usual oversight no later than the 8th, and
> we tag on the 14th, announce on the 15th when the mirrors have
> caught up. That gives enough days for committers to review the
> last changes to these release branches.
>
> But I'd be happier co-RM'ing this with a newer committer/PMC
> participant who wants to learn the ropes. Any volunteers?
> Other thoughts or observations?
>
> On Tue, Aug 31, 2021 at 3:09 AM Rainer Jung <ra...@kippdata.de> wrote:
> >
> > Hi there,
> >
> > any chance we find an RM for a APR 1.7.1 release? At least there was the
> > fix for CVE-2021-35940 and CHANGES contains 15 more items (many of them
> > platform specific or build improvements). Last release 1.7.0 was in
> > April 2019.
> >
> > For APR-util I don't know the current state and release needs for the
> > 1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 1.7.x
> > has never been released. CHANGES for 1.6.x only contains one
> > apr_dbm_gdbm fix plus a minor libtool use improvement.
> >
> > Apache httpd is planing to start a release cycle soon and it would be
> > nice to have a clean APR 1.7.1 and maybe APR-util also.
> >
> > Thanks and regards,
> >
> > Rainer

Re: APR 1.7.1 release?

[Rainer Jung <ra...@kippdata.de>]

Am 03.09.2021 um 03:44 schrieb William A Rowe Jr:
> I'm willing to RM APR and APR-util 1.7 releases.

That would be great.

> Would propose we set a date out 2 weeks, anything lingering needs
> to be finalized with the usual oversight no later than the 8th, and
> we tag on the 14th, announce on the 15th when the mirrors have
> caught up. That gives enough days for committers to review the
> last changes to these release branches.

Sounds like a plan, though I can't judge on which important things need 
to be fixed. Hopefully nothing.

> But I'd be happier co-RM'ing this with a newer committer/PMC
> participant who wants to learn the ropes. Any volunteers?
> Other thoughts or observations?

Regards,

Rainer

Re: APR 1.7.1 release?

[Yann Ylavic <yl...@gmail.com>]

On Thu, Dec 23, 2021 at 7:37 AM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> On Fri, Dec 17, 2021 at 10:09 AM Yann Ylavic <yl...@gmail.com> wrote:
> >
> > On Fri, Sep 3, 2021 at 3:44 AM William A Rowe Jr <wr...@rowe-clan.net> wrote:
> > >
> > > But I'd be happier co-RM'ing this with a newer committer/PMC
> > > participant who wants to learn the ropes. Any volunteers?
> >
> > \o_ thanks for helping! Anytime for, maybe in early 2022 days?
>
> 1. Is that an offer?

Sure it is :) I'm happy to assist you in the release process and learn about it.
I looked at the release.sh script which is quite simple and the
preliminar tagging process from the previous release, but following
someone who knows is always better..

>
> In any case I see us shipping a minimal APR 1.7.x with the fixes at hand and for
> Windows FS that frustrated some svn users. The scope of the unix domain socket
> enablement are probably late into January/early Feb. Unsure what other folks are
> working on that fit into the 1.8 bump.

I already backported the unix socket changes to 1.7.x, though Ivan
objected already given the non trivial changes.
I'd like it to be in 1.7.1 (mainly because of the new atomic/once
wakeup which is useful for httpd's mpm_event usage), but not a strong
opinion either so I could revert it's an uncomfortable change.

Besides, current 1.7.x is not a minimal change already w.r.t. 1.7.0,
some not-so-trivial backports are to address issues raised by running
ASAN built APR and httpd through their test suites (namely apr_pool's
r1884100, apr_thread's r1884103, apr_thread_pool's r1884110).
Those have landed for quite some time now, but more eyes are always welcome.

>
> We all need to review APR-util 1.7.0-dev, to ensure it's ready. That
> could happen
> before year end, or early next year, depending on how stable it is.

+1

>
> So yes, I'd be grateful for your help, and more than happy to help you :)

Great, let's go whenever you have the time for it ;)


Cheers;
Yann.

Re: APR 1.7.1 release?

[William A Rowe Jr <wr...@rowe-clan.net>]

On Fri, Dec 17, 2021 at 10:09 AM Yann Ylavic <yl...@gmail.com> wrote:
>
> Hi Bill,
>
> On Fri, Sep 3, 2021 at 3:44 AM William A Rowe Jr <wr...@rowe-clan.net> wrote:
> >
> > I'm willing to RM APR and APR-util 1.7 releases.
>
> Any news on this?

I have the holidays, after the weekend, before that other end of year weekend to
my own home and affairs and loose ends, so I can go forward, and with any luck,
kick off both sets of filesystem problems in win32 (junction/symlink
along with the
brand new non-FS pseudo-domain-socket entities which are also nightmares.)

> > But I'd be happier co-RM'ing this with a newer committer/PMC
> > participant who wants to learn the ropes. Any volunteers?
>
> \o_ thanks for helping! Anytime for, maybe in early 2022 days?

1. Is that an offer?

In any case I see us shipping a minimal APR 1.7.x with the fixes at hand and for
Windows FS that frustrated some svn users. The scope of the unix domain socket
enablement are probably late into January/early Feb. Unsure what other folks are
working on that fit into the 1.8 bump.

We all need to review APR-util 1.7.0-dev, to ensure it's ready. That
could happen
before year end, or early next year, depending on how stable it is.

So yes, I'd be grateful for your help, and more than happy to help you :)

Re: APR 1.7.1 release?

[Jan Ehrhardt <ph...@ehrhardt.nl>]

Yann Ylavic in gmane.comp.apache.apr.devel (Fri, 17 Dec 2021 17:08:45
+0100):
>Hi Bill,
>
>On Fri, Sep 3, 2021 at 3:44 AM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>>
>> I'm willing to RM APR and APR-util 1.7 releases.
>
>Any news on this?

Somebody on Apachelounge was asking about this:
https://www.apachelounge.com/viewtopic.php?p=40872
-- 
Jan

Re: APR 1.7.1 release?

[Yann Ylavic <yl...@gmail.com>]

Hi Bill,

On Fri, Sep 3, 2021 at 3:44 AM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> I'm willing to RM APR and APR-util 1.7 releases.

Any news on this?

>
> But I'd be happier co-RM'ing this with a newer committer/PMC
> participant who wants to learn the ropes. Any volunteers?

\o_ thanks for helping! Anytime for, maybe in early 2022 days?


Cheers;
Yann.

Re: APR 1.7.1 release?

[William A Rowe Jr <wr...@rowe-clan.net>]

I'm willing to RM APR and APR-util 1.7 releases.

Would propose we set a date out 2 weeks, anything lingering needs
to be finalized with the usual oversight no later than the 8th, and
we tag on the 14th, announce on the 15th when the mirrors have
caught up. That gives enough days for committers to review the
last changes to these release branches.

But I'd be happier co-RM'ing this with a newer committer/PMC
participant who wants to learn the ropes. Any volunteers?
Other thoughts or observations?

On Tue, Aug 31, 2021 at 3:09 AM Rainer Jung <ra...@kippdata.de> wrote:
>
> Hi there,
>
> any chance we find an RM for a APR 1.7.1 release? At least there was the
> fix for CVE-2021-35940 and CHANGES contains 15 more items (many of them
> platform specific or build improvements). Last release 1.7.0 was in
> April 2019.
>
> For APR-util I don't know the current state and release needs for the
> 1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 1.7.x
> has never been released. CHANGES for 1.6.x only contains one
> apr_dbm_gdbm fix plus a minor libtool use improvement.
>
> Apache httpd is planing to start a release cycle soon and it would be
> nice to have a clean APR 1.7.1 and maybe APR-util also.
>
> Thanks and regards,
>
> Rainer

Re: APR 1.7.1 release?

[William A Rowe Jr <wr...@rowe-clan.net>]

I'm willing to RM APR and APR-util 1.7 releases.

Would propose we set a date out 2 weeks, anything lingering needs
to be finalized with the usual oversight no later than the 8th, and
we tag on the 14th, announce on the 15th when the mirrors have
caught up. That gives enough days for committers to review the
last changes to these release branches.

But I'd be happier co-RM'ing this with a newer committer/PMC
participant who wants to learn the ropes. Any volunteers?
Other thoughts or observations?

On Tue, Aug 31, 2021 at 3:09 AM Rainer Jung <ra...@kippdata.de> wrote:
>
> Hi there,
>
> any chance we find an RM for a APR 1.7.1 release? At least there was the
> fix for CVE-2021-35940 and CHANGES contains 15 more items (many of them
> platform specific or build improvements). Last release 1.7.0 was in
> April 2019.
>
> For APR-util I don't know the current state and release needs for the
> 1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 1.7.x
> has never been released. CHANGES for 1.6.x only contains one
> apr_dbm_gdbm fix plus a minor libtool use improvement.
>
> Apache httpd is planing to start a release cycle soon and it would be
> nice to have a clean APR 1.7.1 and maybe APR-util also.
>
> Thanks and regards,
>
> Rainer

APR 1.7.1 release?

[Rainer Jung <ra...@kippdata.de>]

Hi there,

any chance we find an RM for a APR 1.7.1 release? At least there was the 
fix for CVE-2021-35940 and CHANGES contains 15 more items (many of them 
platform specific or build improvements). Last release 1.7.0 was in 
April 2019.

For APR-util I don't know the current state and release needs for the 
1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 1.7.x 
has never been released. CHANGES for 1.6.x only contains one 
apr_dbm_gdbm fix plus a minor libtool use improvement.

Apache httpd is planing to start a release cycle soon and it would be 
nice to have a clean APR 1.7.1 and maybe APR-util also.

Thanks and regards,

Rainer

Re: release?

["stefan@eissing.org" <st...@eissing.org>]

The v2 release scripts in ^/httpd/dev-tools do now work for me
to create the tarballs, checksums and signatures for a release
vote and push them to dist.apache.org.

The steps after a vote need some more work. I will do that in the
coming days. However, since we can do a vote now, this is not that
pressing.

The "announce.sh" part should stay usable as it is. I have no plans 
to update that one, since I have 0 experience what this really does 
and where any problems/room for improvements are.

Cheers,
Stefan


> Am 02.09.2021 um 16:53 schrieb Ruediger Pluem <rp...@apache.org>:
> 
> 
> 
> On 9/2/21 3:06 PM, Eric Covener wrote:
>> Since you are going through this I wanted to mention:
>> 
>> I think the public doc we have should mention everything that's done
>> during ther release, even the security stuff that is somewhat private.
>> The ASF-wide security policy is already public
>> (https://www.apache.org/security/committers.html) and this is just the
>> mechanics of it for us.
>> 
>> Anyone object?  This way we have one linear place to point to.
> 
> +1 Looks sensible. The details of an actual security issue should not be public until we make it so, but the procedure we use can be.
> 
> Regards
> 
> Rüdiger
> 

Re: release?

[Ruediger Pluem <rp...@apache.org>]

On 9/2/21 3:06 PM, Eric Covener wrote:
> Since you are going through this I wanted to mention:
> 
> I think the public doc we have should mention everything that's done
> during ther release, even the security stuff that is somewhat private.
> The ASF-wide security policy is already public
> (https://www.apache.org/security/committers.html) and this is just the
> mechanics of it for us.
> 
> Anyone object?  This way we have one linear place to point to.

+1 Looks sensible. The details of an actual security issue should not be public until we make it so, but the procedure we use can be.

Regards

Rüdiger

Re: release?

[Eric Covener <co...@gmail.com>]

Since you are going through this I wanted to mention:

I think the public doc we have should mention everything that's done
during ther release, even the security stuff that is somewhat private.
The ASF-wide security policy is already public
(https://www.apache.org/security/committers.html) and this is just the
mechanics of it for us.

Anyone object?  This way we have one linear place to point to.

On Mon, Aug 30, 2021 at 7:36 AM stefan@eissing.org <st...@eissing.org> wrote:
>
> In what state is our release handling? Given someone holding my hand, could I do it? Or is it better to look someone over the shoulder while he does it?
>
> Cheers,
> Stefan



-- 
Eric Covener
covener@gmail.com

APR 1.7.1 release?

[Rainer Jung <ra...@kippdata.de>]

Hi there,

any chance we find an RM for a APR 1.7.1 release? At least there was the 
fix for CVE-2021-35940 and CHANGES contains 15 more items (many of them 
platform specific or build improvements). Last release 1.7.0 was in 
April 2019.

For APR-util I don't know the current state and release needs for the 
1.6.x and 1.7.x branches. Last 1.6.x release was in October 2017, 1.7.x 
has never been released. CHANGES for 1.6.x only contains one 
apr_dbm_gdbm fix plus a minor libtool use improvement.

Apache httpd is planing to start a release cycle soon and it would be 
nice to have a clean APR 1.7.1 and maybe APR-util also.

Thanks and regards,

Rainer

Re: release?

["stefan@eissing.org" <st...@eissing.org>]

> Am 30.08.2021 um 22:53 schrieb Christophe JAILLET <ch...@wanadoo.fr>:
> 
> 
> Le 30/08/2021 à 13:53, Eric Covener a écrit :
>> On Mon, Aug 30, 2021 at 7:36 AM stefan@eissing.org <st...@eissing.org> wrote:
>>> In what state is our release handling? Given someone holding my hand, could I do it? Or is it better to look someone over the shoulder while he does it?
>> If there is an over-the-shoulder session I would like to tag along.  I
>> am flexible on time of day but I am GMT+4 (EDT).  I can host on webex.
>> Otherwise if you just want to struggle through it I can tag along but
>> I have no experience.
> 
> I can give another try with my limited experience.
> 
> I definitively would like to add a --dry-run option for all scripts so that they can be run for learning purpose without the fear of un-expected impact on svn.
> 
> Existing scripts are not that easy to read at first, but are understanbdable and following http://httpd.apache.org/dev/release.html#how-to-do-a-release helps a lot. The scripts should also be tweaked because of the latest changes in several places (at least web site update (now on github) and CVE announcement (if any) now that part of the process is handled elsewhere).
> 
> The CVE announcement should be much easier, now that we have a "Send these Emails" on cveprocess.a.o. This should simplify part of the process where we were preparing some scripts to send the announcement emails.
> 
> I've been lacking time for httpd since many weeks, but I should be able to RM next week if needed.

I would like to look over your shoulder/help where I can. Maybe Eric can make a WebEx for us - that would make following along much easier, I guess.

Looking at the description link (thanks) I see that there are still a lot of "manual" things involved. And a "--dry-run" is definitely a thing we want. Will have a look at those scripts in the next days, to see what I can add here.

- Stefan
> 
> CJ
> 
>> Also: Anyone who has a showstopper to delay a release (even if not yet
>> proposed) please add it to 2.4.x STATUS so we can get things in order.
>> 

Re: release?

[Dave Fisher <wa...@apache.org>]

> On Aug 31, 2021, at 4:12 AM, Daniel Ruggeri <da...@bitnebula.com> wrote:
> 
> 
> On 8/30/2021 3:53 PM, Christophe JAILLET wrote:
>> 
>> Le 30/08/2021 à 13:53, Eric Covener a écrit : 
>>> On Mon, Aug 30, 2021 at 7:36 AM stefan@eissing.org <ma...@eissing.org> <st...@eissing.org> <ma...@eissing.org> wrote: 
>>>> In what state is our release handling? Given someone holding my hand, could I do it? Or is it better to look someone over the shoulder while he does it? 
>>> If there is an over-the-shoulder session I would like to tag along.  I 
>>> am flexible on time of day but I am GMT+4 (EDT).  I can host on webex. 
>>> Otherwise if you just want to struggle through it I can tag along but 
>>> I have no experience. 
>> 
>> I can give another try with my limited experience. 
>> 
>> I definitively would like to add a --dry-run option for all scripts so that they can be run for learning purpose without the fear of un-expected impact on svn. 
> FWIW, the announce.sh script which collates all the security "stuff" and sends the announce emails drops the user to a shell to inspect/examine what WILL happen before actually doing anything. Any non-zero return code of that shell will abort the process. I used the heck out of that several times :-)
> 
> 
> 
>> 
>> Existing scripts are not that easy to read at first, but are understanbdable and followinghttp://httpd.apache.org/dev/release.html#how-to-do-a-release <http://httpd.apache.org/dev/release.html#how-to-do-a-release> helps a lot. The scripts should also be tweaked because of the latest changes in several places (at least web site update (now on github) and CVE announcement (if any) now that part of the process is handled elsewhere). 
>> 
> 
> +1
> 
> To my knowledge, the publishing of the site and overhaul of the new CVE process are the things requiring updates.
> 

The JSON files for the release’s CVEs should be committed here: https://github.com/apache/httpd-site/tree/main/content/security/json <https://github.com/apache/httpd-site/tree/main/content/security/json> : https://gitbox.apache.org/repos/asf?p=httpd-site.git;a=tree;f=content/security/json;hb=HEAD <https://gitbox.apache.org/repos/asf?p=httpd-site.git;a=tree;f=content/security/json;hb=HEAD>


> -- 
> Daniel Ruggeri
>> The CVE announcement should be much easier, now that we have a "Send these Emails" on cveprocess.a.o. This should simplify part of the process where we were preparing some scripts to send the announcement emails. 
>> 
>> I've been lacking time for httpd since many weeks, but I should be able to RM next week if needed. 
>> 
>> CJ 
>> 
>>> Also: Anyone who has a showstopper to delay a release (even if not yet 
>>> proposed) please add it to 2.4.x STATUS so we can get things in order. 
>>> 

Re: release?

[Daniel Ruggeri <da...@bitnebula.com>]

On 8/30/2021 3:53 PM, Christophe JAILLET wrote:
>
> Le 30/08/2021 à 13:53, Eric Covener a écrit :
>> On Mon, Aug 30, 2021 at 7:36 AM stefan@eissing.org
>> <st...@eissing.org> wrote:
>>> In what state is our release handling? Given someone holding my
>>> hand, could I do it? Or is it better to look someone over the
>>> shoulder while he does it?
>> If there is an over-the-shoulder session I would like to tag along.  I
>> am flexible on time of day but I am GMT+4 (EDT).  I can host on webex.
>> Otherwise if you just want to struggle through it I can tag along but
>> I have no experience.
>
> I can give another try with my limited experience.
>
> I definitively would like to add a --dry-run option for all scripts so
> that they can be run for learning purpose without the fear of
> un-expected impact on svn.

FWIW, the announce.sh script which collates all the security "stuff" and
sends the announce emails drops the user to a shell to inspect/examine
what WILL happen before actually doing anything. Any non-zero return
code of that shell will abort the process. I used the heck out of that
several times :-)


>
> Existing scripts are not that easy to read at first, but are
> understanbdable and following
> http://httpd.apache.org/dev/release.html#how-to-do-a-release helps a
> lot. The scripts should also be tweaked because of the latest changes
> in several places (at least web site update (now on github) and CVE
> announcement (if any) now that part of the process is handled elsewhere).
>

+1

To my knowledge, the publishing of the site and overhaul of the new CVE
process are the things requiring updates.

-- 
Daniel Ruggeri

> The CVE announcement should be much easier, now that we have a "Send
> these Emails" on cveprocess.a.o. This should simplify part of the
> process where we were preparing some scripts to send the announcement
> emails.
>
> I've been lacking time for httpd since many weeks, but I should be
> able to RM next week if needed.
>
> CJ
>
>> Also: Anyone who has a showstopper to delay a release (even if not yet
>> proposed) please add it to 2.4.x STATUS so we can get things in order.
>>

Re: release?

[Christophe JAILLET <ch...@wanadoo.fr>]

Le 30/08/2021 à 13:53, Eric Covener a écrit :
> On Mon, Aug 30, 2021 at 7:36 AM stefan@eissing.org <st...@eissing.org> wrote:
>> In what state is our release handling? Given someone holding my hand, could I do it? Or is it better to look someone over the shoulder while he does it?
> If there is an over-the-shoulder session I would like to tag along.  I
> am flexible on time of day but I am GMT+4 (EDT).  I can host on webex.
> Otherwise if you just want to struggle through it I can tag along but
> I have no experience.

I can give another try with my limited experience.

I definitively would like to add a --dry-run option for all scripts so 
that they can be run for learning purpose without the fear of 
un-expected impact on svn.

Existing scripts are not that easy to read at first, but are 
understanbdable and following 
http://httpd.apache.org/dev/release.html#how-to-do-a-release helps a 
lot. The scripts should also be tweaked because of the latest changes in 
several places (at least web site update (now on github) and CVE 
announcement (if any) now that part of the process is handled elsewhere).

The CVE announcement should be much easier, now that we have a "Send 
these Emails" on cveprocess.a.o. This should simplify part of the 
process where we were preparing some scripts to send the announcement 
emails.

I've been lacking time for httpd since many weeks, but I should be able 
to RM next week if needed.

CJ

> Also: Anyone who has a showstopper to delay a release (even if not yet
> proposed) please add it to 2.4.x STATUS so we can get things in order.
>

Re: release?

[Ruediger Pluem <rp...@apache.org>]

On 8/31/21 8:57 PM, Christophe JAILLET wrote:
> 
> Le 31/08/2021 à 20:25, Eric Covener a écrit :
>>
>> Should we think about reverting the recent mod_unique_id changes?  It
>> seems like that was noticed pretty quickly but I think the current
>> problem is still not well understood. Meanwhile the original problem
>> on the old codebase wasn't widely reported.
> 
> +1
> 
> We can also easily narrow the time window where duplicate can be generated by just reordering the previous code.

Yes, looks like the old code base was "better". So let's do the improvement you mention and take some time for
reviewing the rewrite proposals that have been made on the Github PR.

Regards

Rüdiger

Re: release?

[Christophe JAILLET <ch...@wanadoo.fr>]

Le 31/08/2021 à 20:25, Eric Covener a écrit :
>
> Should we think about reverting the recent mod_unique_id changes?  It
> seems like that was noticed pretty quickly but I think the current
> problem is still not well understood. Meanwhile the original problem
> on the old codebase wasn't widely reported.

+1

We can also easily narrow the time window where duplicate can be 
generated by just reordering the previous code.

CJ

Re: release?

[Eric Covener <co...@gmail.com>]

On Mon, Aug 30, 2021 at 12:41 PM Yann Ylavic <yl...@gmail.com> wrote:
>
> On Mon, Aug 30, 2021 at 1:54 PM Eric Covener <co...@gmail.com> wrote:
> >
> > Also: Anyone who has a showstopper to delay a release (even if not yet
> > proposed) please add it to 2.4.x STATUS so we can get things in order.
>
> I think that BZ 65519 and 65521 are showstoppers, I'm waiting for
> feedbacks from the OP to commit to trunk and propose the backport, but
> if it lasts too long I'll do it anyway..

+1, that POLLHUP one was one I was thinking of.

Should we think about reverting the recent mod_unique_id changes?  It
seems like that was noticed pretty quickly but I think the current
problem is still not well understood. Meanwhile the original problem
on the old codebase wasn't widely reported.

Re: release?

[Yann Ylavic <yl...@gmail.com>]

On Mon, Aug 30, 2021 at 1:54 PM Eric Covener <co...@gmail.com> wrote:
>
> Also: Anyone who has a showstopper to delay a release (even if not yet
> proposed) please add it to 2.4.x STATUS so we can get things in order.

I think that BZ 65519 and 65521 are showstoppers, I'm waiting for
feedbacks from the OP to commit to trunk and propose the backport, but
if it lasts too long I'll do it anyway..


Cheers;
Yann.

Re: release?

[Eric Covener <co...@gmail.com>]

On Mon, Aug 30, 2021 at 7:36 AM stefan@eissing.org <st...@eissing.org> wrote:
>
> In what state is our release handling? Given someone holding my hand, could I do it? Or is it better to look someone over the shoulder while he does it?

If there is an over-the-shoulder session I would like to tag along.  I
am flexible on time of day but I am GMT+4 (EDT).  I can host on webex.
Otherwise if you just want to struggle through it I can tag along but
I have no experience.

Also: Anyone who has a showstopper to delay a release (even if not yet
proposed) please add it to 2.4.x STATUS so we can get things in order.

-- 
Eric Covener
covener@gmail.com