T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

Things are looking good for a T&R of 2.4.24 sometime late
today.

If you have any issues or concerns, let me know asap.

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

> On Dec 23, 2016, at 2:32 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> 
> I hope you sort this out in your ombudsman role, because this is the
> test of whether you understand ASF responsibilities, both legally,
> and in the sense of our entire ecosystem, and the will of your specific
> project who had a very firm position, before you undermined it.
> 
> Cheers, and a Merry Christmas!

Bill, puhlease. Stick and carrot? Really?

Anyway, this seems appropriate:

" 'Saruman, Saruman!' said Gandalf, still laughing. 'Saruman, you missed your path in life. You should have been the king's jester and earned your bread, and stripes too, by mimicking his counsellors. Ah me!' he paused, getting the better of his mirth. 'Understand one another? I fear I am beyond your comprehension. But you, Saruman, I understand now too well. I keep a clearer memory of your arguments, and deeds, than you suppose. When last I visited you, you were the jailor of Mordor, and there I was to be sent. Nay, the guest who escaped from the roof, will think twice before he comes back in by the door.' " 

I will give your comments the weight they deserve.

Re: T&R of 2.4.24

[William A Rowe Jr <wr...@rowe-clan.net>]

On Fri, Dec 9, 2016 at 8:03 AM, Jim Jagielski <ji...@jagunet.com> wrote:

>
> > On Dec 9, 2016, at 12:20 AM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >
> > On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >
> > @VP Legal, is this worth an escalation? You didn't see fit to respond
> today,
> > but I think this falls under the purview of your committee, w.r.t.
> unapproved
> > release artifacts living at www.apache.org/dist/. Did you have any
> thoughts
> > or opinions one way or another?
>
> How is this different from, say, the win32 src zips or the
> complimentary binary builds?


That's an interesting question, or questions...

For starters, source aren't binaries, but of course you knew that, as our
esteemed VP, Legal.

When ASF projects convey binaries, they convey them (purportedly) based
on the current jars/wars of the dependencies (are there other dependent
projects? SVN doesn't ship binaries, and I have no clue what OpenOffice
does. Other non-java examples are few and far between.)

These are fetched up fresh from maven or whatnot, and don't have a lot of
bearing on how non-java projects do things. AIUI, those jars don't even
supplant what is already provisioned, if those are more current, unless
the manifest demands an old rev.

The prior win32 src (before I committed that to branch, not trunk, and
didn't worry our silly heads about crlf after I wrote the apr fix script)
didn't include extra artifacts, unless you count apr-iconv. And I have
deep reservations about that call, if you've seen my comments about
what citrus might bring us and lack of maintaining that BSD iconv fork.

Thanks for the redaction on the 2.4.25-deps artifact. Frankly, I would
not have helped you push that out the door without that one concession.
And mad props to JChapmion for pushing the announce, since I didn't
have ASF smtp at the ready. So as always, it was an effort of many.

Fundamental issue with pushing -deps of, say, APR 1.5.2, is that the
following week is that 1.5.3 with bug fixes is released. Is the httpd
project responsible for updating -deps? Or f' ya all, download this
package... it won't hurt you... hopefully? Believe me, I went through
all that as an httpd win32 binary distributor who bundled openssl,
so I know this specific pain-point, and sense of responsibility, and
did have to ship new interim binaries when bad things were disclosed.

I hope you sort this out in your ombudsman role, because this is the
test of whether you understand ASF responsibilities, both legally,
and in the sense of our entire ecosystem, and the will of your specific
project who had a very firm position, before you undermined it.

Cheers, and a Merry Christmas!

Bill

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

> On Dec 9, 2016, at 12:20 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> @VP Legal, is this worth an escalation? You didn't see fit to respond today,
> but I think this falls under the purview of your committee, w.r.t. unapproved
> release artifacts living at www.apache.org/dist/. Did you have any thoughts
> or opinions one way or another?

How is this different from, say, the win32 src zips or the
complimentary binary builds?

Re: T&R of 2.4.24

[William A Rowe Jr <wr...@rowe-clan.net>]

On Thu, Dec 8, 2016 at 12:16 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:

> On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski <ji...@jagunet.com> wrote:
>
>> AFAICT there is no consensus. But is this really a blocker?
>
>
> I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant
> vulnerability
> fixes (everyone seems very enamored with fuzz generators this past few
> years.)
>
> It doesn't block creation of httpd-2.4.24.tar.gz, obviously.
>
> It does raise the question again of whether the httpd project can
> distribute
> a source code package on www.apache.org/dist/httpd/ which is not voted
> on by the project, and whether it violates the spirit of the pmc consensus
> to no longer be the distributor of dependencies which frequently fall into
> a poorly maintained/updated state.
>

@VP Legal, is this worth an escalation? You didn't see fit to respond today,
but I think this falls under the purview of your committee, w.r.t.
unapproved
release artifacts living at www.apache.org/dist/. Did you have any thoughts
or opinions one way or another?

Re: T&R of 2.4.24

[William A Rowe Jr <wr...@rowe-clan.net>]

On Fri, Dec 9, 2016 at 1:44 AM, Yann Ylavic <yl...@gmail.com> wrote:

> On Thu, Dec 8, 2016 at 7:16 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >
> > It does raise the question again of whether the httpd project can
> distribute
> > a source code package on www.apache.org/dist/httpd/ which is not voted
> > on by the project, and whether it violates the spirit of the pmc
> consensus
> > to no longer be the distributor of dependencies which frequently fall
> into
> > a poorly maintained/updated state.
>
> Current httpd-2.4.23-deps.tar.*/srclib seem to contain APR(-util)
> only, no expat or PCRE, wasn't this decision taken already?
>

The decision in Nov 2008 to drop pcre was followed, that was not in
any -deps 'not-a-release' tarball. Expat was more deeply embedded;

httpd-2.4.23/srclib/apr-util/xml/expat/


> httpd-2.2.32.tar.*/srclib contain PCRE 5.0 (according to Changelog),
> no expat, but it looks off topic for this T&R...
>

Yup, I'm working on language that would accompany httpd-2.2.32.tar.gz
that the distribution includes ancient, bundled legacy binary-compatible
pcre and expat, and that users are strongly cautioned to provision pcre,
expat and the most current versions of apr and apr-util themselves from
the respective projects or their OS distribution.

Re: T&R of 2.4.24

[Yann Ylavic <yl...@gmail.com>]

On Thu, Dec 8, 2016 at 7:16 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> It does raise the question again of whether the httpd project can distribute
> a source code package on www.apache.org/dist/httpd/ which is not voted
> on by the project, and whether it violates the spirit of the pmc consensus
> to no longer be the distributor of dependencies which frequently fall into
> a poorly maintained/updated state.

Current httpd-2.4.23-deps.tar.*/srclib seem to contain APR(-util)
only, no expat or PCRE, wasn't this decision taken already?

httpd-2.2.32.tar.*/srclib contain PCRE 5.0 (according to Changelog),
no expat, but it looks off topic for this T&R...

Am I missing something?

Re: T&R of 2.4.24

[William A Rowe Jr <wr...@rowe-clan.net>]

On Thu, Dec 8, 2016 at 12:03 PM, Jim Jagielski <ji...@jagunet.com> wrote:

> AFAICT there is no consensus. But is this really a blocker?


I don't know, expat is at 2.2.0 and PCRE is at 8.39 with significant
vulnerability
fixes (everyone seems very enamored with fuzz generators this past few
years.)

It doesn't block creation of httpd-2.4.24.tar.gz, obviously.

It does raise the question again of whether the httpd project can distribute
a source code package on www.apache.org/dist/httpd/ which is not voted
on by the project, and whether it violates the spirit of the pmc consensus
to no longer be the distributor of dependencies which frequently fall into
a poorly maintained/updated state.

So it's simply a question about the -deps package, and since that is never
given a release vote, it really isn't holding up any tag & roll.



> > On Dec 8, 2016, at 12:38 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >
> > On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> > Things are looking good for a T&R of 2.4.24 sometime late
> > today.
> >
> > If you have any issues or concerns, let me know asap.
> >
> > Do we have any consensus on dropping the stale and vulnerable
> > expat or pcre packages from the pretending-not-to-be-released
> > -deps artifact in the www.a.o/dist/httpd/ releases tree?
> >
> >
> >
>
>

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

AFAICT there is no consensus. But is this really a
blocker?

> On Dec 8, 2016, at 12:38 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> Things are looking good for a T&R of 2.4.24 sometime late
> today.
> 
> If you have any issues or concerns, let me know asap.
> 
> Do we have any consensus on dropping the stale and vulnerable
> expat or pcre packages from the pretending-not-to-be-released 
> -deps artifact in the www.a.o/dist/httpd/ releases tree?
> 
> 
> 

Re: T&R of 2.4.24

[William A Rowe Jr <wr...@rowe-clan.net>]

On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <ji...@jagunet.com> wrote:

> Things are looking good for a T&R of 2.4.24 sometime late
> today.
>
> If you have any issues or concerns, let me know asap.
>

Do we have any consensus on dropping the stale and vulnerable
expat or pcre packages from the pretending-not-to-be-released
-deps artifact in the www.a.o/dist/httpd/ releases tree?

Re: T&R of 2.4.24

[Stefan Eissing <st...@greenbytes.de>]

+1 and *many* thanks!

> Am 15.12.2016 um 16:13 schrieb Jim Jagielski <ji...@jaguNET.com>:
> 
> From what I can see, there are no show-stoppers and
> all my tests show no regressions...
> 
> Let's shoot for a T&R this (east coast) evening... how does
> that sound?
> 
>> On Dec 14, 2016, at 7:56 AM, Jim Jagielski <ji...@jaguNET.com> wrote:
>> 
>> Looking at a T&R of 2.4.24 either the 15th or 16th...
> 

Stefan Eissing

<green/>bytes GmbH
Hafenstrasse 16
48155 Münster
www.greenbytes.de

Re: T&R of 2.4.24

[Ruediger Pluem <rp...@apache.org>]

On 12/15/2016 08:09 PM, Eric Covener wrote:
> On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener <co...@gmail.com> wrote:
>> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>> From what I can see, there are no show-stoppers and
>>> all my tests show no regressions...
>>>
>>> Let's shoot for a T&R this (east coast) evening... how does
>>> that sound?
>>
>>
>> +1 & thanks

+1 and many thanks from me as well.

> 
> Sorry to  be a buzzkill but I just replied to an April commit related
> to PR53555 that I'd like some of the resident big brains to consider
> as it will be new.

Shame on you for being a buzzkill :-). No seriously, thanks for giving a heads up here.

Regards

R�diger

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

I'll give it until tomorrow AM... If we have the 3, it'll be
folded in. If not, I'm not going to delay.

> On Dec 15, 2016, at 4:34 PM, Jim Jagielski <ji...@jaguNET.com> wrote:
> 
> Done and done.
> 
>> On Dec 15, 2016, at 4:30 PM, Jim Jagielski <ji...@jaguNET.com> wrote:
>> 
>> Actually, it is:
>> 
>>   https://svn.apache.org/viewvc?view=revision&revision=1772334
>> 
>> So I would like to see the enhancement in:
>> 
>>   https://lists.apache.org/thread.html/03a360e5214052b38752d10a75f864e59d518cd6ac8ddbbcefe91c18@%3Cdev.httpd.apache.org%3E
>> 
>> applied to trunk and then proposed for backport.
>> 
>>> On Dec 15, 2016, at 2:55 PM, Eric Covener <co...@gmail.com> wrote:
>>> 
>>> On Thu, Dec 15, 2016 at 2:09 PM, Eric Covener <co...@gmail.com> wrote:
>>>> On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener <co...@gmail.com> wrote:
>>>>> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>>>>> From what I can see, there are no show-stoppers and
>>>>>> all my tests show no regressions...
>>>>>> 
>>>>>> Let's shoot for a T&R this (east coast) evening... how does
>>>>>> that sound?
>>>>> 
>>>>> 
>>>>> +1 & thanks
>>>> 
>>>> Sorry to  be a buzzkill but I just replied to an April commit related
>>>> to PR53555 that I'd like some of the resident big brains to consider
>>>> as it will be new.
>>>> 
>>>> But I guess it can be done in parallel with the vote since we have
>>>> been delayed so much and it's got a fair chance to be no worse than
>>>> 2.4.23.
>>>> 
>>>> I do not think it is a showstopper but I see a little smoke there that
>>>> e.g. ylavic or sf may be able to debunk or throw up a bigger flag on.
>>>> 
>>> 
>>> Yann pointed out that the wakeup enhancement is not in 2.4.x so there
>>> is no 2.4.x risk here.
>>> 
>>> -- 
>>> Eric Covener
>>> covener@gmail.com
>> 
> 

Re: T&R of 2.4.24

[Yann Ylavic <yl...@gmail.com>]

On Thu, Dec 15, 2016 at 10:52 PM, Yann Ylavic <yl...@gmail.com> wrote:
> On Thu, Dec 15, 2016 at 10:34 PM, Jim Jagielski <ji...@jagunet.com> wrote:
>> Done and done.
>
> Will voted it

I meant "will vote" in this typo, not veto ;)

Maybe Eric with an easy reproducer could confirm, but unless poll()
consistently return EINTR I don't see how his issue can happen on
2.4.24 (after 100ms from the signal to stop/restart).

Re: T&R of 2.4.24

[Yann Ylavic <yl...@gmail.com>]

On Thu, Dec 15, 2016 at 10:34 PM, Jim Jagielski <ji...@jagunet.com> wrote:
> Done and done.

Will voted it, but I don't think it's necessary for 2.4.24 (not
harmful though, possibly useless).

>
>> On Dec 15, 2016, at 4:30 PM, Jim Jagielski <ji...@jaguNET.com> wrote:
>>
>> Actually, it is:
>>
>>    https://svn.apache.org/viewvc?view=revision&revision=1772334

The wakeup changes mentioned by Eric are in r1762718 and follow ups,
not backported yet.
In 2.4.24 we won't block indefinitely in poll() in any case, hence the
keepalive cleanup should always be called on restart/shutdown anyway
(every TIMEOUT_FUDGE_FACTOR).

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

Done and done.

> On Dec 15, 2016, at 4:30 PM, Jim Jagielski <ji...@jaguNET.com> wrote:
> 
> Actually, it is:
> 
>    https://svn.apache.org/viewvc?view=revision&revision=1772334
> 
> So I would like to see the enhancement in:
> 
>    https://lists.apache.org/thread.html/03a360e5214052b38752d10a75f864e59d518cd6ac8ddbbcefe91c18@%3Cdev.httpd.apache.org%3E
> 
> applied to trunk and then proposed for backport.
> 
>> On Dec 15, 2016, at 2:55 PM, Eric Covener <co...@gmail.com> wrote:
>> 
>> On Thu, Dec 15, 2016 at 2:09 PM, Eric Covener <co...@gmail.com> wrote:
>>> On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener <co...@gmail.com> wrote:
>>>> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>>>> From what I can see, there are no show-stoppers and
>>>>> all my tests show no regressions...
>>>>> 
>>>>> Let's shoot for a T&R this (east coast) evening... how does
>>>>> that sound?
>>>> 
>>>> 
>>>> +1 & thanks
>>> 
>>> Sorry to  be a buzzkill but I just replied to an April commit related
>>> to PR53555 that I'd like some of the resident big brains to consider
>>> as it will be new.
>>> 
>>> But I guess it can be done in parallel with the vote since we have
>>> been delayed so much and it's got a fair chance to be no worse than
>>> 2.4.23.
>>> 
>>> I do not think it is a showstopper but I see a little smoke there that
>>> e.g. ylavic or sf may be able to debunk or throw up a bigger flag on.
>>> 
>> 
>> Yann pointed out that the wakeup enhancement is not in 2.4.x so there
>> is no 2.4.x risk here.
>> 
>> -- 
>> Eric Covener
>> covener@gmail.com
> 

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

Actually, it is:

    https://svn.apache.org/viewvc?view=revision&revision=1772334

So I would like to see the enhancement in:

    https://lists.apache.org/thread.html/03a360e5214052b38752d10a75f864e59d518cd6ac8ddbbcefe91c18@%3Cdev.httpd.apache.org%3E

applied to trunk and then proposed for backport.

> On Dec 15, 2016, at 2:55 PM, Eric Covener <co...@gmail.com> wrote:
> 
> On Thu, Dec 15, 2016 at 2:09 PM, Eric Covener <co...@gmail.com> wrote:
>> On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener <co...@gmail.com> wrote:
>>> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>>> From what I can see, there are no show-stoppers and
>>>> all my tests show no regressions...
>>>> 
>>>> Let's shoot for a T&R this (east coast) evening... how does
>>>> that sound?
>>> 
>>> 
>>> +1 & thanks
>> 
>> Sorry to  be a buzzkill but I just replied to an April commit related
>> to PR53555 that I'd like some of the resident big brains to consider
>> as it will be new.
>> 
>> But I guess it can be done in parallel with the vote since we have
>> been delayed so much and it's got a fair chance to be no worse than
>> 2.4.23.
>> 
>> I do not think it is a showstopper but I see a little smoke there that
>> e.g. ylavic or sf may be able to debunk or throw up a bigger flag on.
>> 
> 
> Yann pointed out that the wakeup enhancement is not in 2.4.x so there
> is no 2.4.x risk here.
> 
> -- 
> Eric Covener
> covener@gmail.com

Re: T&R of 2.4.24

[Eric Covener <co...@gmail.com>]

On Thu, Dec 15, 2016 at 2:09 PM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener <co...@gmail.com> wrote:
>> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>> From what I can see, there are no show-stoppers and
>>> all my tests show no regressions...
>>>
>>> Let's shoot for a T&R this (east coast) evening... how does
>>> that sound?
>>
>>
>> +1 & thanks
>
> Sorry to  be a buzzkill but I just replied to an April commit related
> to PR53555 that I'd like some of the resident big brains to consider
> as it will be new.
>
> But I guess it can be done in parallel with the vote since we have
> been delayed so much and it's got a fair chance to be no worse than
> 2.4.23.
>
> I do not think it is a showstopper but I see a little smoke there that
> e.g. ylavic or sf may be able to debunk or throw up a bigger flag on.
>

Yann pointed out that the wakeup enhancement is not in 2.4.x so there
is no 2.4.x risk here.

-- 
Eric Covener
covener@gmail.com

Re: T&R of 2.4.24

[Eric Covener <co...@gmail.com>]

On Thu, Dec 15, 2016 at 10:16 AM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>> From what I can see, there are no show-stoppers and
>> all my tests show no regressions...
>>
>> Let's shoot for a T&R this (east coast) evening... how does
>> that sound?
>
>
> +1 & thanks

Sorry to  be a buzzkill but I just replied to an April commit related
to PR53555 that I'd like some of the resident big brains to consider
as it will be new.

But I guess it can be done in parallel with the vote since we have
been delayed so much and it's got a fair chance to be no worse than
2.4.23.

I do not think it is a showstopper but I see a little smoke there that
e.g. ylavic or sf may be able to debunk or throw up a bigger flag on.

-- 
Eric Covener
covener@gmail.com

Re: T&R of 2.4.24

[Eric Covener <co...@gmail.com>]

On Thu, Dec 15, 2016 at 10:13 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> From what I can see, there are no show-stoppers and
> all my tests show no regressions...
>
> Let's shoot for a T&R this (east coast) evening... how does
> that sound?


+1 & thanks

-- 
Eric Covener
covener@gmail.com

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

From what I can see, there are no show-stoppers and
all my tests show no regressions...

Let's shoot for a T&R this (east coast) evening... how does
that sound?

> On Dec 14, 2016, at 7:56 AM, Jim Jagielski <ji...@jaguNET.com> wrote:
> 
> Looking at a T&R of 2.4.24 either the 15th or 16th...

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

Looking at a T&R of 2.4.24 either the 15th or 16th...

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

Scratch that...

Instead, I plan on doing it on Monday, to provide some additional
time for some things to get locked down and resolved.

My apologies for those waiting for 2.4.24...

> On Dec 8, 2016, at 9:55 AM, Jim Jagielski <ji...@jaguNET.com> wrote:
> 
> Things are looking good for a T&R of 2.4.24 sometime late
> today.
> 
> If you have any issues or concerns, let me know asap.

Re: T&R of 2.4.24

[Eric Covener <co...@gmail.com>]

On Mon, Dec 12, 2016 at 8:43 PM, Daniel Ruggeri <DR...@primary.net> wrote:
>
> On 12/12/2016 12:26 AM, William A Rowe Jr wrote:
>> In spite of 34 registered project committee members, until other
>> contributors come forward to participate in the security patch review
>> process, we may simply have to declare all further efforts are currently
>> on pause.
>
> Does one have to be on PMC to review security patches? If not, can you
> give me a general idea on volume? This would be something I think
> $dayjob would be OK with me doing as part of keeping a shirt on my back
> and roof over the childrens' heads ;-)


Not necessary. Go ahead and subscribe to security@httpd.apache.org and
someone should approve.

-- 
Eric Covener
covener@gmail.com

Re: T&R of 2.4.24

[William A Rowe Jr <wr...@rowe-clan.net>]

On Dec 12, 2016 7:44 PM, "Daniel Ruggeri" <DR...@primary.net> wrote:


On 12/12/2016 12:26 AM, William A Rowe Jr wrote:
> In spite of 34 registered project committee members, until other
> contributors come forward to participate in the security patch review
> process, we may simply have to declare all further efforts are currently
> on pause.

Does one have to be on PMC to review security patches? If not, can you
give me a general idea on volume? This would be something I think
$dayjob would be OK with me doing as part of keeping a shirt on my back
and roof over the childrens' heads ;-)


This is something our httpd security team has revisited a few times over
the past few years.

To be on *httpd* security list, we require a certain level of trust. In the
past, this was based on PMC membership. We have since tweaked things to
bring in proven committers who are not yet on the PMC.

Also, all ASF Members have access to private archived lists; this includes
any PMC private lists and security lists across the foundation.

In terms of volume, there are only a handful of security issues per year,
from none to a dozen, but many dozens of reports we have to evaluate and
filter. It often takes probing questions of the reporter to distinguish
their defect report from a vulnerablity, or to quantify and qualify the
exposure and risk.

The ASF-wide list is another beast, it is a massive spam trap, exceeding
dozens of garbage messages per day, to capture about a dozen legitimate
messages a day, and only a tiny handful of new inbound messages a day that
are dispatched to the appropriate PMC's team. That list does require ASF
Membership to volunteer because it has full visibility into most every
defect.

Re: T&R of 2.4.24

[Daniel Ruggeri <DR...@primary.net>]

On 12/12/2016 12:26 AM, William A Rowe Jr wrote:
> In spite of 34 registered project committee members, until other 
> contributors come forward to participate in the security patch review 
> process, we may simply have to declare all further efforts are currently
> on pause.

Does one have to be on PMC to review security patches? If not, can you
give me a general idea on volume? This would be something I think
$dayjob would be OK with me doing as part of keeping a shirt on my back
and roof over the childrens' heads ;-)

-- 
Daniel Ruggeri

Re: T&R of 2.4.24

[Jim Jagielski <ji...@jaguNET.com>]

> On Dec 12, 2016, at 1:26 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> Things are looking good for a T&R of 2.4.24 sometime late
> today.
> 
> If you have any issues or concerns, let me know asap.
> 
> Hi Jim,
> 
> we may have to concede, in light of many already partially disclosed
> CVE's, that it is impossible to proceed.
> 

Well, Bill, I'm sorry to say I disagree. I also think that
your characterization is wrong, incomplete and unwarranted.

See, the thing about releasing 2.4.24 is that it implies that
at some time, we can also release a 2.4.25.

Re: T&R of 2.4.24

[William A Rowe Jr <wr...@rowe-clan.net>]

On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <ji...@jagunet.com> wrote:

> Things are looking good for a T&R of 2.4.24 sometime late
> today.
>
> If you have any issues or concerns, let me know asap.
>

Hi Jim,

we may have to concede, in light of many already partially disclosed
CVE's, that it is impossible to proceed.

At this moment, there are 5 committers who have invested time and
energy at looking at the current open issues. Of the stale issues, 2
refuse to fix the reported issued directly, while 3 others have lingering
patches that would fix the core defects. There is a straightforward
solution to solving such issues, but the quick-fix has issues of its
own. Only three votes are required to incorporate the fix, but in the
face of an objection, four are required to overrule a hold-out (assuming
it is even the right solution.)

Five is simply too small a number to sustain a security team at any
project of this complexity. That isn't pointing fingers at any person
whatsoever, it's an assessment of the situation.

In spite of 34 registered project committee members, until other
contributors come forward to participate in the security patch review
process, we may simply have to declare all further efforts are currently
on pause.

Sincerely, thanks for trying to push this release forward. I hope this
is all resolved quickly.