Apache 2.2.28 release timing.

[Mark Blackman <ma...@exonetric.com>]

Hi,

This might be more of user than dev question, but as the discussions about 
timing were here, I’ll go with here.

http://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/<20140721075315.ec908e91c20de17e6e448089a4bc3ed2.f963b4ea46.wbe%40email11.secureserver.net>

suggested the 2.2.28 tagging and presumably release is imminent,  
however, http://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.28 is still a 404.

I understand the mechanics of open source projects, so this is not a “hurry-up”, 
it’s just a "can I get Apache 2.2.28 into my next hosting platform release or not”, 
the contents of which will be frozen on Aug. 15.

I’m mostly interested in the CVE updates, so I can tell users we’re clear of them. 
If the 2.2.28 release is not likely before Aug. 15, that’s fine, I just wanted to be sure.

Cheers,
Mark

Re: Apache 2.2.28 release timing.

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On Thu, 21 Aug 2014 12:39:40 -0400
Jim Jagielski <ji...@jaguNET.com> wrote:

> OK... created a CentOS5 system w/ libtool 1.5.26 and
> autoconf 2.69, so I can RM 2.2.x!

Excellent!  Sorry I missed your note, claws mail client doesn't
re-sort by last-post date in threaded mode.  Someday, I'll find
a mail reader I can deal with that correctly works with IMAP ;-/
Didn't mean to step on toes :(

It will be great to have several of us that can handle the legacy
branch, I'll respond to Ben's puzzlement a bit later today as well,
so more people can become comfortable RM'ing.

With STATUS cleared out, I had gone ahead and tagged when I woke up
this morning, before I caught up on this thread, sigh.  Should anything 
be found that's gone off the track, would you mind doing the re-roll?
Next week, things get crazy for me once again.

Bill

Re: Apache 2.2.28 release timing.

[Jim Jagielski <ji...@jaguNET.com>]

OK... created a CentOS5 system w/ libtool 1.5.26 and
autoconf 2.69, so I can RM 2.2.x!

On Aug 21, 2014, at 12:26 PM, Jim Jagielski <ji...@jaguNET.com> wrote:

> I have a CentOS 5 system that may have those older versions...
> CentOS 6 uses libtool 2.2.6b...
> 
> Let me check and, if so, I can RM.
> 
> Thx!
> On Aug 21, 2014, at 7:59 AM, Ruediger Pluem <rp...@apache.org> wrote:
> 
>> 
>> 
>> Jim Jagielski wrote:
>>> I offered to RM but OtherBill said he'd do it; plus, last
>>> time I did, I used more up-to-date versions of autoconf, et.al.
>>> and OtherBill complained that for the 2.2 built, we should
>>> continue to use the much older versions...
>>> 
>>> FWIW, I still can't recall which old version numbers we
>>> should be using for 2.2... :/
>> 
>> Digging through the archives reveals:
>> 
>> On Tue, 12 Nov 2013 16:00:52 -0500
>> Jim Jagielski <ji...@jaguNET.com> wrote:
>> 
>>> So what versions of autoconf and libtool should we
>>> be baselining for 2.2.x?
>> 
>> On Tue, 12 Nov 2013 11:56:39 -0600
>> "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:
>> 
>>> Libtool 1.5.26 and autoconf 2.67 were used for 2.2.25 release; any
>>> later 1.5 libtool or 2.6x series autoconf aught to work but you would
>>> want to pre- buildconf and review any newer versions before tagging.
>> 
>> 
>> Regards
>> 
>> Rüdiger
>> 
> 

Re: Apache 2.2.28 release timing.

[Jim Jagielski <ji...@jaguNET.com>]

I have a CentOS 5 system that may have those older versions...
CentOS 6 uses libtool 2.2.6b...

Let me check and, if so, I can RM.

Thx!
On Aug 21, 2014, at 7:59 AM, Ruediger Pluem <rp...@apache.org> wrote:

> 
> 
> Jim Jagielski wrote:
>> I offered to RM but OtherBill said he'd do it; plus, last
>> time I did, I used more up-to-date versions of autoconf, et.al.
>> and OtherBill complained that for the 2.2 built, we should
>> continue to use the much older versions...
>> 
>> FWIW, I still can't recall which old version numbers we
>> should be using for 2.2... :/
> 
> Digging through the archives reveals:
> 
> On Tue, 12 Nov 2013 16:00:52 -0500
> Jim Jagielski <ji...@jaguNET.com> wrote:
> 
>> So what versions of autoconf and libtool should we
>> be baselining for 2.2.x?
> 
> On Tue, 12 Nov 2013 11:56:39 -0600
> "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:
> 
>> Libtool 1.5.26 and autoconf 2.67 were used for 2.2.25 release; any
>> later 1.5 libtool or 2.6x series autoconf aught to work but you would
>> want to pre- buildconf and review any newer versions before tagging.
> 
> 
> Regards
> 
> Rüdiger
> 

Re: Apache 2.2.28 release timing.

[Ben Reser <be...@reser.org>]

On 8/21/14 6:26 PM, William A. Rowe Jr. wrote:
> That about sums it up.  Sorry, I am still drowning in my late father's
> affairs for another 3-4 weeks, but will make time to do this in 2 hours
> from now, sum up votes and move files Sun a.m. for a Mon a.m. release.
> That saves anyone else from creating an older toolchain (even I never
> use this one on the development branches).

Thanks Bill, if you don't get to it I'll try to do it next week.  I'm traveling
right now or I'd do it now.

Re: T&R of 2.2.28

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On Fri, 22 Aug 2014 08:14:13 -0400
Jim Jagielski <ji...@jaguNET.com> wrote:

> I propose to T&R 2.2.28 on Tuesday; this gives people today,
> the weekend, and Monday to ensure 2.2.28 is in good enough
> shape to release.

My bad, I had already tagged and rolled before I caught up with this
thread, again it was a simple email race condition.  Time to drop my
Claws email client :(

Status is empty, patches are carefully vetted, so there was no need 
to wait for next week.  Your proposed timing goes very well with any
necessity of re-rolling a rejected tarball, and would be helpful and
greatly appreciated if it comes to that, thank you!

T&R of 2.2.28

[Jim Jagielski <ji...@jaguNET.com>]

I propose to T&R 2.2.28 on Tuesday; this gives people today,
the weekend, and Monday to ensure 2.2.28 is in good enough
shape to release.

Thx!

On Aug 22, 2014, at 8:12 AM, Jim Jagielski <ji...@jaguNET.com> wrote:

> As noted, I already spent time creating a VM
> of CentOS5 with the required toolchain, so I'm good
> to go.
> 
> On Aug 21, 2014, at 1:26 PM, William A. Rowe Jr. <wr...@rowe-clan.net> wrote:
> 
>> On Thu, 21 Aug 2014 13:59:52 +0200
>> Ruediger Pluem <rp...@apache.org> wrote:
>> 
>>> 
>>> 
>>> Jim Jagielski wrote:
>>>> I offered to RM but OtherBill said he'd do it; plus, last
>>>> time I did, I used more up-to-date versions of autoconf, et.al.
>>>> and OtherBill complained that for the 2.2 built, we should
>>>> continue to use the much older versions...
>>>> 
>>>> FWIW, I still can't recall which old version numbers we
>>>> should be using for 2.2... :/
>>> 
>>> Digging through the archives reveals:
>>> 
>>> On Tue, 12 Nov 2013 16:00:52 -0500
>>> Jim Jagielski <ji...@jaguNET.com> wrote:
>>> 
>>>> So what versions of autoconf and libtool should we
>>>> be baselining for 2.2.x?
>>> 
>>> On Tue, 12 Nov 2013 11:56:39 -0600
>>> "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:
>>> 
>>>> Libtool 1.5.26 and autoconf 2.67 were used for 2.2.25 release; any
>>>> later 1.5 libtool or 2.6x series autoconf aught to work but you
>>>> would want to pre- buildconf and review any newer versions before
>>>> tagging.
>> 
>> That about sums it up.  Sorry, I am still drowning in my late father's
>> affairs for another 3-4 weeks, but will make time to do this in 2 hours
>> from now, sum up votes and move files Sun a.m. for a Mon a.m. release.
>> That saves anyone else from creating an older toolchain (even I never
>> use this one on the development branches).
>> 
>> I see three patches to apply, if nobody beats me to it I'll merge them,
>> but dibs goes to the proposer.  About Eric's comment, given the delay
>> we should pick up that patch, it can simply encourage us to get 2.4.11
>> out in the reasonably near future.
>> 
>> I'd love to see us pick up newer autoconf/libtool, preferably not on a
>> security release... perhaps we can come up with a bugfix release that
>> lets us let new conf scripts out into the wild for wider review?
>> 
>> I was not waiting on the utf-8 services patch, but am looking forward to
>> some of our international windows users giving that patch a spin and
>> sounding in on the fix for international service names.
> 

Re: Apache 2.2.28 release timing.

[Jim Jagielski <ji...@jaguNET.com>]

As noted, I already spent time creating a VM
of CentOS5 with the required toolchain, so I'm good
to go.

On Aug 21, 2014, at 1:26 PM, William A. Rowe Jr. <wr...@rowe-clan.net> wrote:

> On Thu, 21 Aug 2014 13:59:52 +0200
> Ruediger Pluem <rp...@apache.org> wrote:
> 
>> 
>> 
>> Jim Jagielski wrote:
>>> I offered to RM but OtherBill said he'd do it; plus, last
>>> time I did, I used more up-to-date versions of autoconf, et.al.
>>> and OtherBill complained that for the 2.2 built, we should
>>> continue to use the much older versions...
>>> 
>>> FWIW, I still can't recall which old version numbers we
>>> should be using for 2.2... :/
>> 
>> Digging through the archives reveals:
>> 
>> On Tue, 12 Nov 2013 16:00:52 -0500
>> Jim Jagielski <ji...@jaguNET.com> wrote:
>> 
>>> So what versions of autoconf and libtool should we
>>> be baselining for 2.2.x?
>> 
>> On Tue, 12 Nov 2013 11:56:39 -0600
>> "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:
>> 
>>> Libtool 1.5.26 and autoconf 2.67 were used for 2.2.25 release; any
>>> later 1.5 libtool or 2.6x series autoconf aught to work but you
>>> would want to pre- buildconf and review any newer versions before
>>> tagging.
> 
> That about sums it up.  Sorry, I am still drowning in my late father's
> affairs for another 3-4 weeks, but will make time to do this in 2 hours
> from now, sum up votes and move files Sun a.m. for a Mon a.m. release.
> That saves anyone else from creating an older toolchain (even I never
> use this one on the development branches).
> 
> I see three patches to apply, if nobody beats me to it I'll merge them,
> but dibs goes to the proposer.  About Eric's comment, given the delay
> we should pick up that patch, it can simply encourage us to get 2.4.11
> out in the reasonably near future.
> 
> I'd love to see us pick up newer autoconf/libtool, preferably not on a
> security release... perhaps we can come up with a bugfix release that
> lets us let new conf scripts out into the wild for wider review?
> 
> I was not waiting on the utf-8 services patch, but am looking forward to
> some of our international windows users giving that patch a spin and
> sounding in on the fix for international service names.

Re: Apache 2.2.28 release timing.

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On Thu, 21 Aug 2014 13:59:52 +0200
Ruediger Pluem <rp...@apache.org> wrote:

> 
> 
> Jim Jagielski wrote:
> > I offered to RM but OtherBill said he'd do it; plus, last
> > time I did, I used more up-to-date versions of autoconf, et.al.
> > and OtherBill complained that for the 2.2 built, we should
> > continue to use the much older versions...
> > 
> > FWIW, I still can't recall which old version numbers we
> > should be using for 2.2... :/
> 
> Digging through the archives reveals:
> 
> On Tue, 12 Nov 2013 16:00:52 -0500
> Jim Jagielski <ji...@jaguNET.com> wrote:
> 
> > So what versions of autoconf and libtool should we
> > be baselining for 2.2.x?
> 
> On Tue, 12 Nov 2013 11:56:39 -0600
> "William A. Rowe Jr." <wr...@rowe-clan.net> wrote:
> 
> > Libtool 1.5.26 and autoconf 2.67 were used for 2.2.25 release; any
> > later 1.5 libtool or 2.6x series autoconf aught to work but you
> > would want to pre- buildconf and review any newer versions before
> > tagging.

That about sums it up.  Sorry, I am still drowning in my late father's
affairs for another 3-4 weeks, but will make time to do this in 2 hours
from now, sum up votes and move files Sun a.m. for a Mon a.m. release.
That saves anyone else from creating an older toolchain (even I never
use this one on the development branches).

I see three patches to apply, if nobody beats me to it I'll merge them,
but dibs goes to the proposer.  About Eric's comment, given the delay
we should pick up that patch, it can simply encourage us to get 2.4.11
out in the reasonably near future.

I'd love to see us pick up newer autoconf/libtool, preferably not on a
security release... perhaps we can come up with a bugfix release that
lets us let new conf scripts out into the wild for wider review?

I was not waiting on the utf-8 services patch, but am looking forward to
some of our international windows users giving that patch a spin and
sounding in on the fix for international service names.

Re: Apache 2.2.28 release timing.

[Ruediger Pluem <rp...@apache.org>]

Jim Jagielski wrote:
> I offered to RM but OtherBill said he'd do it; plus, last
> time I did, I used more up-to-date versions of autoconf, et.al.
> and OtherBill complained that for the 2.2 built, we should
> continue to use the much older versions...
> 
> FWIW, I still can't recall which old version numbers we
> should be using for 2.2... :/

Digging through the archives reveals:

On Tue, 12 Nov 2013 16:00:52 -0500
Jim Jagielski <ji...@jaguNET.com> wrote:

> So what versions of autoconf and libtool should we
> be baselining for 2.2.x?

On Tue, 12 Nov 2013 11:56:39 -0600
"William A. Rowe Jr." <wr...@rowe-clan.net> wrote:

> Libtool 1.5.26 and autoconf 2.67 were used for 2.2.25 release; any
> later 1.5 libtool or 2.6x series autoconf aught to work but you would
> want to pre- buildconf and review any newer versions before tagging.


Regards

Rüdiger

Re: Apache 2.2.28 release timing.

[Jim Jagielski <ji...@jaguNET.com>]

I offered to RM but OtherBill said he'd do it; plus, last
time I did, I used more up-to-date versions of autoconf, et.al.
and OtherBill complained that for the 2.2 built, we should
continue to use the much older versions...

FWIW, I still can't recall which old version numbers we
should be using for 2.2... :/

On Aug 20, 2014, at 3:00 PM, Ruediger Pluem <rp...@apache.org> wrote:

> 
> 
> Ben Reser wrote:
>> On 8/5/14 2:21 PM, Mark Blackman wrote:
>>> This might be more of user than dev question, but as the discussions about 
>>> timing were here, I’ll go with here.
>>> 
>>> http://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/<20140721075315.ec908e91c20de17e6e448089a4bc3ed2.f963b4ea46.wbe%40email11.secureserver.net>
>>> 
>>> suggested the 2.2.28 tagging and presumably release is imminent,  
>>> however, http://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.28 is still a 404.
>>> 
>>> I understand the mechanics of open source projects, so this is not a “hurry-up”, 
>>> it’s just a "can I get Apache 2.2.28 into my next hosting platform release or not”, 
>>> the contents of which will be frozen on Aug. 15.
>>> 
> 
>> 
>> I'd do the rolling myself but I'm not 100% clear on what needs to happen.  So
>> if someone can do a little hand holding I'll be happy to do the release myself.
>> I'm generally familiar with how the ASF does releases since I do the
>> Subversion release regularly.  So this would be entirely about the specifics of
>> rolling the release.
>> 
> 
> http://httpd.apache.org/dev/release.html should be a good starting point. There are 3 patches left in STATUS that
> already have 3 +1's that need to get committed to the branch before rolling.
> 
> Regards
> 
> Rüdiger

Re: Apache 2.2.28 release timing.

[Ruediger Pluem <rp...@apache.org>]

Ben Reser wrote:
> On 8/5/14 2:21 PM, Mark Blackman wrote:
>> This might be more of user than dev question, but as the discussions about 
>> timing were here, I’ll go with here.
>>
>> http://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/<20140721075315.ec908e91c20de17e6e448089a4bc3ed2.f963b4ea46.wbe%40email11.secureserver.net>
>>
>> suggested the 2.2.28 tagging and presumably release is imminent,  
>> however, http://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.28 is still a 404.
>>
>> I understand the mechanics of open source projects, so this is not a “hurry-up”, 
>> it’s just a "can I get Apache 2.2.28 into my next hosting platform release or not”, 
>> the contents of which will be frozen on Aug. 15.
>>

> 
> I'd do the rolling myself but I'm not 100% clear on what needs to happen.  So
> if someone can do a little hand holding I'll be happy to do the release myself.
>  I'm generally familiar with how the ASF does releases since I do the
> Subversion release regularly.  So this would be entirely about the specifics of
> rolling the release.
> 

http://httpd.apache.org/dev/release.html should be a good starting point. There are 3 patches left in STATUS that
already have 3 +1's that need to get committed to the branch before rolling.

Regards

Rüdiger

Release Management

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On Wed, 20 Aug 2014 16:35:34 +0100
Ben Reser <be...@reser.org> wrote:

> I'd do the rolling myself but I'm not 100% clear on what needs to
> happen.  So if someone can do a little hand holding I'll be happy to
> do the release myself. I'm generally familiar with how the ASF does
> releases since I do the Subversion release regularly.  So this would
> be entirely about the specifics of rolling the release.

The instructions at http://httpd.apache.org/dev/release.html have been
refreshed now.

I'd encourage anyone who wants to cut their teeth at RM'ing to think
about the 2.5.x alpha/beta branch.  It's a good way to become familiar
with the whole process and shouldn't be at all intimidating.  Hopefully,
we'll have enough meat in that branch to make a dev release sometime
soon.  (I realize that much of the meaty goodness has been backported
to 2.4.x, but at some point they will eventually diverge enough to move
forward toward 2.6).

Re: Apache 2.2.28 release timing.

[Ben Reser <be...@reser.org>]

On 8/5/14 2:21 PM, Mark Blackman wrote:
> This might be more of user than dev question, but as the discussions about 
> timing were here, I’ll go with here.
> 
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/<20140721075315.ec908e91c20de17e6e448089a4bc3ed2.f963b4ea46.wbe%40email11.secureserver.net>
> 
> suggested the 2.2.28 tagging and presumably release is imminent,  
> however, http://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.28 is still a 404.
> 
> I understand the mechanics of open source projects, so this is not a “hurry-up”, 
> it’s just a "can I get Apache 2.2.28 into my next hosting platform release or not”, 
> the contents of which will be frozen on Aug. 15.
> 
> I’m mostly interested in the CVE updates, so I can tell users we’re clear of them. 
> If the 2.2.28 release is not likely before Aug. 15, that’s fine, I just wanted to be sure.

Beyond just the CVE changes there are other changes such as the fix for PR
56480 that people want in a 2.2.x release.  Some Subversion users are still
needing to use 2.2.x for reasons that aren't terribly important to go into here.

I've been patiently waiting for this release to happen, but it's been nearly a
month now since the original intent to roll email came out.

I'd do the rolling myself but I'm not 100% clear on what needs to happen.  So
if someone can do a little hand holding I'll be happy to do the release myself.
 I'm generally familiar with how the ASF does releases since I do the
Subversion release regularly.  So this would be entirely about the specifics of
rolling the release.

Re: Apache 2.2.28 release timing.

[olli hauer <oh...@gmx.de>]

On 2014-08-05 15:21, Mark Blackman wrote:
> Hi,
> 
> This might be more of user than dev question, but as the discussions about 
> timing were here, I’ll go with here.
> 
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/<20140721075315.ec908e91c20de17e6e448089a4bc3ed2.f963b4ea46.wbe%40email11.secureserver.net>
> 
> suggested the 2.2.28 tagging and presumably release is imminent,  
> however, http://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.28 is still a 404.
> 
> I understand the mechanics of open source projects, so this is not a “hurry-up”, 
> it’s just a "can I get Apache 2.2.28 into my next hosting platform release or not”, 
> the contents of which will be frozen on Aug. 15.
> 
> I’m mostly interested in the CVE updates, so I can tell users we’re clear of them. 
> If the 2.2.28 release is not likely before Aug. 15, that’s fine, I just wanted to be sure.
> 
> Cheers,
> Mark

Hi Mark,

I suspect almost all distributions ship already patched the Apache 2.2 packages/ports.

In case you build Apache yourself just use the patches from the upstream SVN,

http://svn.apache.org/viewvc?view=revision&revision=1611185
http://svn.apache.org/viewvc?view=revision&revision=1610515
http://svn.apache.org/viewvc?view=revision&revision=1611185

Or from the FreeBSD svn as set of three patch files:

http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-CVE-2014-0118__mod_deflate.c?revision=362845&view=co
http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-CVE-2014-0226__scoreboard.c?revision=362845&view=co
http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-CVE-2014-0231__mod_cgid.c?revision=362845&view=co

I hope the list of CVE patches is complete, else I'm happy to get additional hints from the Apache devs to integrate missing fixes.

-- 
olli