Re: apr 0.9.2 release?

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Craig...

  we are waiting on only one issue; addressing the inherited apr
handles vulnerability discussed for httpd 2.0 cgi scripting on vuln-dev.

  Bjoern Zeeb has spearheaded the effort for the Apache and APR
projects to adopt appropriate patches... and as soon as those are
evaluated and committed you can expect APR 0.9.2 and very soon
after, Apache 2.0.45 built on that tag.  It's unclear to me (but I'm
starting to get a handle on it) if it's entirely Apache's issue (unlikely)
or if we have things to change in apr_file_inherit_set (likely).

  My confusion comes from the fact that I'm still wrapping my brain
around when FD_CLOEXEC actually is triggered, and how to safely
assure we close what we intend, and leave open the handles that
the author desires.

  Doesn't give you a definitive date, but I hope this helps explain
where we sit right now.  More eyeballs on Bjoern's patches will
definitely speed this along ;-)

Bill

At 09:38 AM 3/14/2003, you wrote:
>Hi,
>
>When will apr 0.9.2 be released?
>
>I am the FreeBSD maintainer of the apr port, and several users
>are asking me about this.
>
>Thanks. 
>-- 
>Craig Rodrigues        
>http://home.attbi.com/~rodrigc
>rodrigc@attbi.com

Re: apr 0.9.2 release?

[Craig Rodrigues <ro...@attbi.com>]

On Fri, Mar 14, 2003 at 07:05:15PM -0800, Ben Collins-Sussman wrote:
> It's not that the apr in httpd-2.0.44 is "better" than HEAD, it's
> simply the fact that it's *well tested*.  Obviously httpd tested
> against that snapshot, and so did the Subversion team.

The apr version in httpd-2.0.44 does not include certain
fixes, such as my fix to the buildconf script in apr-utils
which added a --with-apr flag.

I don't really see any incentive to putting any effort into
basing a port on this version of software vs. a proper apr-0.9.2
release.

-- 
Craig Rodrigues        
http://home.attbi.com/~rodrigc
rodrigc@attbi.com

Re: apr 0.9.2 release?

[Ben Collins-Sussman <su...@collab.net>]

Craig Rodrigues <ro...@attbi.com> writes:

> On Fri, Mar 14, 2003 at 06:42:45PM -0800, Ben Collins-Sussman wrote:
> >   - unpack the httpd-2.0.44 tarball
> > 
> >   - yank the apr and apr-util libraries out it
> 
> What's the advantage of doing that versus just using
> one of the apr snapshots on http://cvs.apache.org/snapshots/apr/

Because those aren't around for more than a few days.  They're just
nightly snapshots.  You want to standardize on *one* tree, not some
random nightly snapshot.

> 
> What is functionally different between the apr version in httpd-2.0.44
> and the apr snapshots?

APR is changing every day.  People commit and remove stuff all the
time.  APIs change.  Bugs are fixed, bugs are introduced.

It's not that the apr in httpd-2.0.44 is "better" than HEAD, it's
simply the fact that it's *well tested*.  Obviously httpd tested
against that snapshot, and so did the Subversion team.

> I don't want to become a distributor of apr, so would rather have those
> tarballs hosted on the existing apache.org server.  There already is a 
> mechanism for keeping around longer lived apr snapshots
> ( http://www.apache.org/dist/apr/not-released ), why not just use that?

If the apr folks allow it, sure.  Maybe they'd be nice enough to post
the 2.0.44 snapshot of apr there.

If not, I'm pretty sure we can post it on svn.collab.net.

Re: apr 0.9.2 release?

[Craig Rodrigues <ro...@attbi.com>]

On Fri, Mar 14, 2003 at 06:42:45PM -0800, Ben Collins-Sussman wrote:
>   - unpack the httpd-2.0.44 tarball
> 
>   - yank the apr and apr-util libraries out it

What's the advantage of doing that versus just using
one of the apr snapshots on http://cvs.apache.org/snapshots/apr/

What is functionally different between the apr version in httpd-2.0.44
and the apr snapshots?

>   - post them somewhere, either on apr.apache.org, svn.collab.net, or
>     on a private server.

I don't want to become a distributor of apr, so would rather have those
tarballs hosted on the existing apache.org server.  There already is a 
mechanism for keeping around longer lived apr snapshots
( http://www.apache.org/dist/apr/not-released ), why not just use that?

-- 
Craig Rodrigues        
http://home.attbi.com/~rodrigc
rodrigc@attbi.com

Re: apr 0.9.2 release?

[Ben Collins-Sussman <su...@collab.net>]

Craig Rodrigues <ro...@attbi.com> writes:

> On Fri, Mar 14, 2003 at 05:56:13PM -0800, Ben Collins-Sussman wrote:
> > Subversion's latest releases are all tested against the apr/apr-util
> > included in the httpd-2.0.44 release.  Maybe you could checkout the
> > 2.0.44 tag of apr/apr-util, and build the port around that?  
> 
> Well the way that ports work, subversion is dependent on the released
> version of APR.  Checking out things from CVS is not how things work.
> Part of the port process entails downloading
> the tgz package from the distribution source and building it.
> I could make the port work off of a snapshot of APR (which is what
> Garrett Rooney had set up before), but APR snapshots have a shelf
> life which is too short, unless a file is placed in the unreleased
> directory and stays around for a while.

I'm suggesting that *you* make a snapshot:

  - unpack the httpd-2.0.44 tarball

  - yank the apr and apr-util libraries out it

  - re-tar them yourself, call them 'apr-0.9.2-prerelease.tar.gz' or
    something.

  - post them somewhere, either on apr.apache.org, svn.collab.net, or
    on a private server.

  - base your FreeBSD apr ports on those tarballs.
  
  - base your FreeBSD subversion port on the FreeBSD apr port.

I mean, if the apr-snapshot within httpd-2.0.44 is good enough for
Subversion releases, it should be good enough for you Subversion
port.  :-)

Re: apr 0.9.2 release?

[Craig Rodrigues <ro...@attbi.com>]

On Fri, Mar 14, 2003 at 05:56:13PM -0800, Ben Collins-Sussman wrote:
> Subversion's latest releases are all tested against the apr/apr-util
> included in the httpd-2.0.44 release.  Maybe you could checkout the
> 2.0.44 tag of apr/apr-util, and build the port around that?  

Well the way that ports work, subversion is dependent on the released
version of APR.  Checking out things from CVS is not how things work.
Part of the port process entails downloading
the tgz package from the distribution source and building it.
I could make the port work off of a snapshot of APR (which is what
Garrett Rooney had set up before), but APR snapshots have a shelf
life which is too short, unless a file is placed in the unreleased
directory and stays around for a while.

-- 
Craig Rodrigues        
http://home.attbi.com/~rodrigc
rodrigc@attbi.com

Re: apr 0.9.2 release?

[Ben Collins-Sussman <su...@collab.net>]

Craig Rodrigues <ro...@attbi.com> writes:

> I am also the FreeBSD port maintainer of subversion, and the
> lack of apr-0.9.2 is preventing me from upgrading the subversion port.
> 
> Would it be possible to copy one recent copy of apr and apr-util nightly 
> snapshots to
> http://www.apache.org/dist/apr/not-released/
> 
> I understand that files in this directory are not official and not supported,
> but this would at least allow me to upgrade the FreeBSD apr port in
> the interim, in lieu of an official apr-0.9.2 release,
> and get some of my FreeBSD port users off of my back. :)

Subversion's latest releases are all tested against the apr/apr-util
included in the httpd-2.0.44 release.  Maybe you could checkout the
2.0.44 tag of apr/apr-util, and build the port around that?  

Re: apr 0.9.2 release?

[Craig Rodrigues <ro...@attbi.com>]

On Fri, Mar 14, 2003 at 10:28:34AM -0600, William A. Rowe, Jr. wrote:
> Craig...
> 
>   we are waiting on only one issue; addressing the inherited apr
> handles vulnerability discussed for httpd 2.0 cgi scripting on vuln-dev.
> 

> 
>   Doesn't give you a definitive date, but I hope this helps explain
> where we sit right now.  More eyeballs on Bjoern's patches will
> definitely speed this along ;-)

I am not familiar with the issues.  Is this on the order
of days or weeks?

I am also the FreeBSD port maintainer of subversion, and the
lack of apr-0.9.2 is preventing me from upgrading the subversion port.

Would it be possible to copy one recent copy of apr and apr-util nightly 
snapshots to
http://www.apache.org/dist/apr/not-released/

I understand that files in this directory are not official and not supported,
but this would at least allow me to upgrade the FreeBSD apr port in
the interim, in lieu of an official apr-0.9.2 release,
and get some of my FreeBSD port users off of my back. :)

Thanks.

-- 
Craig Rodrigues        
http://home.attbi.com/~rodrigc
rodrigc@attbi.com

and the httpd-2.0.45 release...

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

At 10:28 AM 3/14/2003, William A. Rowe, Jr. wrote:

>  Bjoern Zeeb has spearheaded the effort for the Apache and APR
>projects to adopt appropriate patches... and as soon as those are
>evaluated and committed you can expect APR 0.9.2 and very soon
>after, Apache 2.0.45 built on that tag.  It's unclear to me (but I'm
>starting to get a handle on it) if it's entirely Apache's issue (unlikely)
>or if we have things to change in apr_file_inherit_set (likely).

Of course that's only once issue that applies to httpd 2.0.45 - we also
have the ssl timing issue to address before the httpd release.

Bill