You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by William A Rowe Jr <wr...@rowe-clan.net> on 2021/09/17 19:52:55 UTC
apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?
We have much activity on apr-util-1.7.0 but no release actions for
some time now.
There are very minor changes to 1.6.x branch.
Do we want to release 1.7.0, or only a 1.6.x bump?
Or do we want to do both? Are we ready and are the API changes considered?
All observations and feedback on apr-util releases encouraged...
thanks,
Bill
Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Mon, Sep 20, 2021 at 1:08 PM Rainer Jung <ra...@kippdata.de> wrote:
>
> AFAIK if you want to build including crypto support, 1.7.x needs OpenSSL
> 1.0.2+. So if you need to stick to eg. 0.9.8, you are limited to 1.6.x.
> As we know, Apache httpd 2.4.x eg. still supports 0.9.8. So anyone
> building a recent 2.4.x using the totally outdated 0.9.8 must use APU 1.6.x.
Yes, but I don't even know whether it's worth calling out in anything other
than CHANGES, since 0.9.8 is simply DoA from a support or security perspective.
If a distributor is maintaining a 10yo OS distribution, they would in
theory also
be maintaining corresponding packages of openssl, and apr-util. As long as
httpd 2.4.x, subversion, etc support building against apr-1.7.0 (or
apr 2.0) then
there are really no worries.
> Concerning more 1.6.x updates: my understandig of the versioning was,
> that the middle digit provides API stability, ie. no new APIs are
> included in 1.N.x once the first patch release 1.N.0 was released. Based
> on that I would suggest to update 1.6.x very conservativly, mostly real
> bug fixes, no features. I would for instance favor not to include libxml
> support in 1.6.x.
I agree. Anything that would substantially change configure.in is just as likely
to disrupt someones' 1.6.x patch adoption as any ABI change, and needs to
be entirely avoided. Bug fix maintenance only.
> Deciding about having a 1.6.x release could depend on how important we
> think those committed fixes are.
Good point. I don't feel strongly either way, but can see where someone here
is welcome to suggest they prefer a more stable 1.6.x release without new
features, in which case we do both.
> Just my 2c.
>
> Best regards,
>
> Rainer
>
> Am 20.09.2021 um 11:35 schrieb Yann Ylavic:
> > On Fri, Sep 17, 2021 at 9:53 PM William A Rowe Jr <wr...@rowe-clan.net> wrote:
> >>
> >> We have much activity on apr-util-1.7.0 but no release actions for
> >> some time now.
> >> There are very minor changes to 1.6.x branch.
> >>
> >> Do we want to release 1.7.0, or only a 1.6.x bump?
> >> Or do we want to do both? Are we ready and are the API changes considered?
> >>
> >> All observations and feedback on apr-util releases encouraged...
> >
> > I tried to align apr-util 1.6.x and 1.7.x w.r.t. "bug fixes" in case
> > we want to release both, but I think that it's not necessarily worth
> > it.
> >
> > Looking at the diffs between the two here is what I found:
> >
> > * Build with Mariadb not in 1.6.x:
> > - http://svn.apache.org/viewvc?rev=1872061&view=rev
> >
> > * Build with libxml2/expat work in 1.7.x only (I think 1.6.x would
> > want it too?):
> > - http://svn.apache.org/viewvc?rev=1854603&view=rev
> > - http://svn.apache.org/viewvc?rev=1880287&view=rev
> >
> > (Also on the xml side still, do we want Windows' xmllite work in 1.7.x? Ivan?)
> >
> > * The crypto PRNG and Digests are new to 1.7.x (not 1.6.x material per
> > our compat rules).
As long as everyone is happy with their review of this work... I've looked at
the libxml2 work since it landed and am pleased. (Pity that it isn't a
subversion
solution since svn makes direct use of expat itself, so we don't
actually lighten
up the dependency list in that case.)
I'm ok with landing the 1.7.0 package based on observations of apr-2.0 bleed.
> > I'm not sure that 1.6.x is fine with openssl-1.1(.1)+,
> > OPENSSL_init_crypto() is in 1.7.x only (we probably want these changes
> > in both).
I've been building httpd with apr-1.6.x openssl-1.1[.0, and .1] and didn't see
any indication it has an issue. I've also been building bleed against apr-2.0
and observed no problems there.
> > * apr_dbm_driver_t and apr_dbm_get_driver() are new to 1.7.x (not
> > 1.6.x material per our compat rules).
> >
> > * apu_dso_init/load() fixes w.r.t. global pool scope in 1.7.x only (I
> > think we'd want to align here too).
This is a good bugfix to consider, but since it's a notable behavior change,
it's harder for the developer to say 1.6.5+ required as opposed to feature
is correct in 1.7+. But not impossible, so I'd leave it to the original patch
author to decide on backporting to 1.6.x as long as there is no abi change.
> > So if we want to release both, should we look at the above points that
> > can align?
> >
> >
> > Regards;
> > Yann.
Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or
both)?
Posted by Rainer Jung <ra...@kippdata.de>.
AFAIK if you want to build including crypto support, 1.7.x needs OpenSSL
1.0.2+. So if you need to stick to eg. 0.9.8, you are limited to 1.6.x.
As we know, Apache httpd 2.4.x eg. still supports 0.9.8. So anyone
building a recent 2.4.x using the totally outdated 0.9.8 must use APU 1.6.x.
Concerning more 1.6.x updates: my understandig of the versioning was,
that the middle digit provides API stability, ie. no new APIs are
included in 1.N.x once the first patch release 1.N.0 was released. Based
on that I would suggest to update 1.6.x very conservativly, mostly real
bug fixes, no features. I would for instance favor not to include libxml
support in 1.6.x.
Deciding about having a 1.6.x release could depend on how important we
think those committed fixes are.
Just my 2c.
Best regards,
Rainer
Am 20.09.2021 um 11:35 schrieb Yann Ylavic:
> On Fri, Sep 17, 2021 at 9:53 PM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>>
>> We have much activity on apr-util-1.7.0 but no release actions for
>> some time now.
>> There are very minor changes to 1.6.x branch.
>>
>> Do we want to release 1.7.0, or only a 1.6.x bump?
>> Or do we want to do both? Are we ready and are the API changes considered?
>>
>> All observations and feedback on apr-util releases encouraged...
>
> I tried to align apr-util 1.6.x and 1.7.x w.r.t. "bug fixes" in case
> we want to release both, but I think that it's not necessarily worth
> it.
>
> Looking at the diffs between the two here is what I found:
>
> * Build with Mariadb not in 1.6.x:
> - http://svn.apache.org/viewvc?rev=1872061&view=rev
>
> * Build with libxml2/expat work in 1.7.x only (I think 1.6.x would
> want it too?):
> - http://svn.apache.org/viewvc?rev=1854603&view=rev
> - http://svn.apache.org/viewvc?rev=1880287&view=rev
>
> (Also on the xml side still, do we want Windows' xmllite work in 1.7.x? Ivan?)
>
> * The crypto PRNG and Digests are new to 1.7.x (not 1.6.x material per
> our compat rules).
> I'm not sure that 1.6.x is fine with openssl-1.1(.1)+,
> OPENSSL_init_crypto() is in 1.7.x only (we probably want these changes
> in both).
>
> * apr_dbm_driver_t and apr_dbm_get_driver() are new to 1.7.x (not
> 1.6.x material per our compat rules).
>
> * apu_dso_init/load() fixes w.r.t. global pool scope in 1.7.x only (I
> think we'd want to align here too).
>
> So if we want to release both, should we look at the above points that
> can align?
>
>
> Regards;
> Yann.
Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Sep 17, 2021 at 9:53 PM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> We have much activity on apr-util-1.7.0 but no release actions for
> some time now.
> There are very minor changes to 1.6.x branch.
>
> Do we want to release 1.7.0, or only a 1.6.x bump?
> Or do we want to do both? Are we ready and are the API changes considered?
>
> All observations and feedback on apr-util releases encouraged...
I tried to align apr-util 1.6.x and 1.7.x w.r.t. "bug fixes" in case
we want to release both, but I think that it's not necessarily worth
it.
Looking at the diffs between the two here is what I found:
* Build with Mariadb not in 1.6.x:
- http://svn.apache.org/viewvc?rev=1872061&view=rev
* Build with libxml2/expat work in 1.7.x only (I think 1.6.x would
want it too?):
- http://svn.apache.org/viewvc?rev=1854603&view=rev
- http://svn.apache.org/viewvc?rev=1880287&view=rev
(Also on the xml side still, do we want Windows' xmllite work in 1.7.x? Ivan?)
* The crypto PRNG and Digests are new to 1.7.x (not 1.6.x material per
our compat rules).
I'm not sure that 1.6.x is fine with openssl-1.1(.1)+,
OPENSSL_init_crypto() is in 1.7.x only (we probably want these changes
in both).
* apr_dbm_driver_t and apr_dbm_get_driver() are new to 1.7.x (not
1.6.x material per our compat rules).
* apu_dso_init/load() fixes w.r.t. global pool scope in 1.7.x only (I
think we'd want to align here too).
So if we want to release both, should we look at the above points that
can align?
Regards;
Yann.
Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or
both)?
Posted by Noel Butler <no...@ausics.net>.
On 18/09/2021 05:52, William A Rowe Jr wrote:
> We have much activity on apr-util-1.7.0 but no release actions for
> some time now.
> There are very minor changes to 1.6.x branch.
>
> Do we want to release 1.7.0, or only a 1.6.x bump?
> Or do we want to do both? Are we ready and are the API changes
> considered?
>
> All observations and feedback on apr-util releases encouraged...
>
> thanks,
>
> Bill
+1 for 1.7.0
--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.