You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1996/07/08 21:36:55 UTC
Re: 1.1.1
For reasons that you may not have reached yet in your mailbox, there
are enough +1 votes to release today. I agree that this should not
be a weekly occurance. The mod_alias bug could really be a problem
at a site that provides AllowOveride. That coupled with several bug
reports on the mod_auth_msql changes and wanting to get a stable
version on the FreeBSD CD-ROM have motivated this release.
>
> Just arrived back in the office about 1/2 hour ago, got the recap from
> Alexei about the 1.1.1 situation and a brief overview of the bugs it would
> fix. My feeling (and this may change when I read all the discourse from
> this weekend) is that we should not release a 1.1.1 so soon. Instead, we
> should put the patches on our web site and link to them under the "known
> bugs" pages, and in a couple of weeks after accumulating a few more fixes,
> release a 1.1.1.
>
> My reasons are:
>
> 1) None of these are security holes
> 2) Very few people are likely to be affected by the bugs, those who are
> are likely to be able to apply a patch.
> 3) We are *bound* to find more bugs of similar stature in the near future -
> should we release a 1.1.x every week?
> 4) Releasing a bugfix release so soon makes the problems sound far worse
> than they are.
>
> For many people, upgrading a server is a trauma on the same level as
> upgrading an OS, and asking them to do it twice in a week is a quick way
> to have people lose confidence in the product. Public product patches are
> an accepted practice. I'd even go so far as to make the apache-cvs list
> archives publicly linked, but they could use a little more organization
> first.
>
> Anyways, I'll careen through the messages now.
>
> Brian
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS
Re: 1.1.1
Posted by Brian Behlendorf <br...@organic.com>.
On Mon, 8 Jul 1996, Randy Terbush wrote:
> For reasons that you may not have reached yet in your mailbox, there
> are enough +1 votes to release today. I agree that this should not
> be a weekly occurance. The mod_alias bug could really be a problem
> at a site that provides AllowOveride. That coupled with several bug
> reports on the mod_auth_msql changes and wanting to get a stable
> version on the FreeBSD CD-ROM have motivated this release.
The FreeBSD folks could be given "1.1.0/FreeBSD 2.1.5 patchset".
The new mod_auth_msql is on hyperreal, in a directory pointed at by the
docs. I'd be for putting mention of this (and the new mod_cern_meta) on
the home page...
The mod_alias patch should be made public early, definitely, as a
recommended fix for people having problems with Redirects.
All that can happen without a 1.1.1 release.
However, I do now agree that the mod_alias bug is a security hole, in that
it can be used for nefarious purposes
("Redirect /shop-x/accept-credit-cards.cgi /evil-guy/steal-cc.cgi")
so a 1.1.1 release is inevitable. Can I press for a delay of a few days,
say until the end of the week, to see if any other disasters strike? Say
by Thursday noon, with a release date of Friday. This would at least
mitigate the possibility of a rush 1.1.2. We have to go build
new binaries, too....
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS