Re: [users@httpd] Apache httpd 2.4.39 GA for Windows

[Steffen <in...@apachelounge.com.INVALID>]

The ASF HTTPD project did not mention security vulnerabilities fixed in 
the initial changelog 2.4.39.

Added now to www.apachelounge.com/Changelog-2.4.html

See also http://httpd.apache.org/security/vulnerabilities_24.html

On 31-3-2019 12:12, Steffen wrote:
>
> Apacharians,
>
>
> See www.apachelounge.com/viewtopic.php?t=8254
>
> Highlight:
>
> This release is primarily a bug fix & stability release, several http2 
> bugs fixed,
> and a new module mod_socache_redis.
>
>
> Enjoy,
>
> Steffen
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache httpd 2.4.39 GA for Windows

[Steffen <in...@apachelounge.com.INVALID>]

Sorry, did not know,  new for me. 

Was just informing the community that the change log has undergone a change. And the new change log is only available with the next release. 

We and other sites (eg AH etc) making already for years and years a release available as soon as it had passed the vote as GA., and you should know that. Why now in public this mail after all that years ?

Please off list. 


> Op 2 apr. 2019 om 19:14 heeft William A Rowe Jr <wr...@rowe-clan.net> het volgende geschreven:
> 
>> On Tue, Apr 2, 2019 at 2:35 AM Steffen <in...@apachelounge.com.invalid> wrote:
> 
>> The ASF HTTPD project did not mention security vulnerabilities fixed in 
>> the initial changelog 2.4.39.
> 
> To be 100% accurate, the ASF HTTP Server project had not announced the
> release of 2.4.39. It had concluded a vote, but only the RM's announcement
> triggers the release. There is a delay for the RM to stage the artifacts so they
> can be downloaded by anyone from our entire array of mirror sites. And in
> that time, the RM could even pull the release owing to a serious packaging
> glitch, if they should need to (this happened not so long ago at httpd.)
> 
> You jumped the gun by pre-announcing your package as a "release", ahead 
> of the RM's announce and ahead of downloads from the ASF, which is poor 
> form to say the least. 
> 
> Security issues are embargoed until that announcement is broadcast by 
> the RM to the entire public at once. The project will not mention security 
> vulnerabilities fixed until that moment.
> 
> This isn't to say you shouldn't assemble your release of version x.y.z based
> on the vote candidate; in fact any change to that source package will always
> trigger version x.y.z+1, so there is no risk that your build varies from the final
> announced package. Be ahead of the game preparing your binary package,
> but defer any publicity until after the actual announcement.
> 
> 

Re: [users@httpd] Apache httpd 2.4.39 GA for Windows

[William A Rowe Jr <wr...@rowe-clan.net>]

On Tue, Apr 2, 2019 at 2:35 AM Steffen <in...@apachelounge.com.invalid>
wrote:

> The ASF HTTPD project did not mention security vulnerabilities fixed in
> the initial changelog 2.4.39.


To be 100% accurate, the ASF HTTP Server project had not announced the
release of 2.4.39. It had concluded a vote, but only the RM's announcement
triggers the release. There is a delay for the RM to stage the artifacts so
they
can be downloaded by anyone from our entire array of mirror sites. And in
that time, the RM could even pull the release owing to a serious packaging
glitch, if they should need to (this happened not so long ago at httpd.)

You jumped the gun by pre-announcing your package as a "release", ahead
of the RM's announce and ahead of downloads from the ASF, which is poor
form to say the least.

Security issues are embargoed until that announcement is broadcast by
the RM to the entire public at once. The project will not mention security
vulnerabilities fixed until that moment.

This isn't to say you shouldn't assemble your release of version x.y.z based
on the vote candidate; in fact any change to that source package will always
trigger version x.y.z+1, so there is no risk that your build varies from
the final
announced package. Be ahead of the game preparing your binary package,
but defer any publicity until after the actual announcement.