apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?

[William A Rowe Jr <wr...@rowe-clan.net>]

We have much activity on apr-util-1.7.0 but no release actions for
some time now.
There are very minor changes to 1.6.x branch.

Do we want to release 1.7.0, or only a 1.6.x bump?
Or do we want to do both? Are we ready and are the API changes considered?

All observations and feedback on apr-util releases encouraged...

thanks,

Bill

Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?

[William A Rowe Jr <wr...@rowe-clan.net>]

On Mon, Sep 20, 2021 at 1:08 PM Rainer Jung <ra...@kippdata.de> wrote:
>
> AFAIK if you want to build including crypto support, 1.7.x needs OpenSSL
> 1.0.2+. So if you need to stick to eg. 0.9.8, you are limited to 1.6.x.
> As we know, Apache httpd 2.4.x eg. still supports 0.9.8. So anyone
> building a recent 2.4.x using the totally outdated 0.9.8 must use APU 1.6.x.

Yes, but I don't even know whether it's worth calling out in anything other
than CHANGES, since 0.9.8 is simply DoA from a support or security perspective.
If a distributor is maintaining a 10yo OS distribution, they would in
theory also
be maintaining corresponding packages of openssl, and apr-util. As long as
httpd 2.4.x, subversion, etc support building against apr-1.7.0 (or
apr 2.0) then
there are really no worries.

> Concerning more 1.6.x updates: my understandig of the versioning was,
> that the middle digit provides API stability, ie. no new APIs are
> included in 1.N.x once the first patch release 1.N.0 was released. Based
> on that I would suggest to update 1.6.x very conservativly, mostly real
> bug fixes, no features. I would for instance favor not to include libxml
> support in 1.6.x.

I agree. Anything that would substantially change configure.in is just as likely
to disrupt someones' 1.6.x patch adoption as any ABI change, and needs to
be entirely avoided. Bug fix maintenance only.

> Deciding about having a 1.6.x release could depend on how important we
> think those committed fixes are.

Good point. I don't feel strongly either way, but can see where someone here
is welcome to suggest they prefer a more stable 1.6.x release without new
features, in which case we do both.

> Just my 2c.
>
> Best regards,
>
> Rainer
>
> Am 20.09.2021 um 11:35 schrieb Yann Ylavic:
> > On Fri, Sep 17, 2021 at 9:53 PM William A Rowe Jr <wr...@rowe-clan.net> wrote:
> >>
> >> We have much activity on apr-util-1.7.0 but no release actions for
> >> some time now.
> >> There are very minor changes to 1.6.x branch.
> >>
> >> Do we want to release 1.7.0, or only a 1.6.x bump?
> >> Or do we want to do both? Are we ready and are the API changes considered?
> >>
> >> All observations and feedback on apr-util releases encouraged...
> >
> > I tried to align apr-util 1.6.x and 1.7.x w.r.t. "bug fixes" in case
> > we want to release both, but I think that it's not necessarily worth
> > it.
> >
> > Looking at the diffs between the two here is what I found:
> >
> > * Build with Mariadb not in 1.6.x:
> > - http://svn.apache.org/viewvc?rev=1872061&view=rev
> >
> > * Build with libxml2/expat work in 1.7.x only (I think 1.6.x would
> > want it too?):
> > - http://svn.apache.org/viewvc?rev=1854603&view=rev
> > - http://svn.apache.org/viewvc?rev=1880287&view=rev
> >
> > (Also on the xml side still, do we want Windows' xmllite work in 1.7.x? Ivan?)
> >
> > * The crypto PRNG and Digests are new to 1.7.x (not 1.6.x material per
> > our compat rules).

As long as everyone is happy with their review of this work... I've looked at
the libxml2 work since it landed and am pleased. (Pity that it isn't a
subversion
solution since svn makes direct use of expat itself, so we don't
actually lighten
up the dependency list in that case.)

I'm ok with landing the 1.7.0 package based on observations of apr-2.0 bleed.

> >    I'm not sure that 1.6.x is fine with openssl-1.1(.1)+,
> > OPENSSL_init_crypto() is in 1.7.x only (we probably want these changes
> > in both).

I've been building httpd with apr-1.6.x openssl-1.1[.0, and .1] and didn't see
any indication it has an issue. I've also been building bleed against apr-2.0
and observed no problems there.

> > * apr_dbm_driver_t and apr_dbm_get_driver() are new to 1.7.x (not
> > 1.6.x material per our compat rules).
> >
> > * apu_dso_init/load() fixes w.r.t. global pool scope in 1.7.x only (I
> > think we'd want to align here too).

This is a good bugfix to consider, but since it's a notable behavior change,
it's harder for the developer to say 1.6.5+ required as opposed to feature
is correct in 1.7+. But not impossible, so I'd leave it to the original patch
author to decide on backporting to 1.6.x as long as there is no abi change.

> > So if we want to release both, should we look at the above points that
> > can align?
> >
> >
> > Regards;
> > Yann.

Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?

[Rainer Jung <ra...@kippdata.de>]

AFAIK if you want to build including crypto support, 1.7.x needs OpenSSL 
1.0.2+. So if you need to stick to eg. 0.9.8, you are limited to 1.6.x. 
As we know, Apache httpd 2.4.x eg. still supports 0.9.8. So anyone 
building a recent 2.4.x using the totally outdated 0.9.8 must use APU 1.6.x.

Concerning more 1.6.x updates: my understandig of the versioning was, 
that the middle digit provides API stability, ie. no new APIs are 
included in 1.N.x once the first patch release 1.N.0 was released. Based 
on that I would suggest to update 1.6.x very conservativly, mostly real 
bug fixes, no features. I would for instance favor not to include libxml 
support in 1.6.x.

Deciding about having a 1.6.x release could depend on how important we 
think those committed fixes are.

Just my 2c.

Best regards,

Rainer

Am 20.09.2021 um 11:35 schrieb Yann Ylavic:
> On Fri, Sep 17, 2021 at 9:53 PM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>>
>> We have much activity on apr-util-1.7.0 but no release actions for
>> some time now.
>> There are very minor changes to 1.6.x branch.
>>
>> Do we want to release 1.7.0, or only a 1.6.x bump?
>> Or do we want to do both? Are we ready and are the API changes considered?
>>
>> All observations and feedback on apr-util releases encouraged...
> 
> I tried to align apr-util 1.6.x and 1.7.x w.r.t. "bug fixes" in case
> we want to release both, but I think that it's not necessarily worth
> it.
> 
> Looking at the diffs between the two here is what I found:
> 
> * Build with Mariadb not in 1.6.x:
> - http://svn.apache.org/viewvc?rev=1872061&view=rev
> 
> * Build with libxml2/expat work in 1.7.x only (I think 1.6.x would
> want it too?):
> - http://svn.apache.org/viewvc?rev=1854603&view=rev
> - http://svn.apache.org/viewvc?rev=1880287&view=rev
> 
> (Also on the xml side still, do we want Windows' xmllite work in 1.7.x? Ivan?)
> 
> * The crypto PRNG and Digests are new to 1.7.x (not 1.6.x material per
> our compat rules).
>    I'm not sure that 1.6.x is fine with openssl-1.1(.1)+,
> OPENSSL_init_crypto() is in 1.7.x only (we probably want these changes
> in both).
> 
> * apr_dbm_driver_t and apr_dbm_get_driver() are new to 1.7.x (not
> 1.6.x material per our compat rules).
> 
> * apu_dso_init/load() fixes w.r.t. global pool scope in 1.7.x only (I
> think we'd want to align here too).
> 
> So if we want to release both, should we look at the above points that
> can align?
> 
> 
> Regards;
> Yann.

Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?

[Yann Ylavic <yl...@gmail.com>]

On Fri, Sep 17, 2021 at 9:53 PM William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> We have much activity on apr-util-1.7.0 but no release actions for
> some time now.
> There are very minor changes to 1.6.x branch.
>
> Do we want to release 1.7.0, or only a 1.6.x bump?
> Or do we want to do both? Are we ready and are the API changes considered?
>
> All observations and feedback on apr-util releases encouraged...

I tried to align apr-util 1.6.x and 1.7.x w.r.t. "bug fixes" in case
we want to release both, but I think that it's not necessarily worth
it.

Looking at the diffs between the two here is what I found:

* Build with Mariadb not in 1.6.x:
- http://svn.apache.org/viewvc?rev=1872061&view=rev

* Build with libxml2/expat work in 1.7.x only (I think 1.6.x would
want it too?):
- http://svn.apache.org/viewvc?rev=1854603&view=rev
- http://svn.apache.org/viewvc?rev=1880287&view=rev

(Also on the xml side still, do we want Windows' xmllite work in 1.7.x? Ivan?)

* The crypto PRNG and Digests are new to 1.7.x (not 1.6.x material per
our compat rules).
  I'm not sure that 1.6.x is fine with openssl-1.1(.1)+,
OPENSSL_init_crypto() is in 1.7.x only (we probably want these changes
in both).

* apr_dbm_driver_t and apr_dbm_get_driver() are new to 1.7.x (not
1.6.x material per our compat rules).

* apu_dso_init/load() fixes w.r.t. global pool scope in 1.7.x only (I
think we'd want to align here too).

So if we want to release both, should we look at the above points that
can align?


Regards;
Yann.

Re: apr-util-1.7.0 initial release, or 1.6.x incremental release (or both)?

[Noel Butler <no...@ausics.net>]

On 18/09/2021 05:52, William A Rowe Jr wrote:

> We have much activity on apr-util-1.7.0 but no release actions for
> some time now.
> There are very minor changes to 1.6.x branch.
> 
> Do we want to release 1.7.0, or only a 1.6.x bump?
> Or do we want to do both? Are we ready and are the API changes 
> considered?
> 
> All observations and feedback on apr-util releases encouraged...
> 
> thanks,
> 
> Bill

+1 for  1.7.0

-- 
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.