Roll 2.2.30 in conjunction with 2.4.14

[Steffen <in...@apachelounge.com>]

Not so happy to roll 2.2.30 in conjunction with 2.4.14.

It does not stimulate pp to upgrade to 2.4., it suggest that the httpd-project gives 2.2 (legacy) the same priority as 2.4.

Better first 2.4 and after some time 2.2. I do not agree with the argument to simplify the announcement.



From: William A Rowe Jr 
Sent: Thursday, June 11, 2015 4:54 AM
Newsgroups: gmane.comp.apache.devel
To: httpd 
Subject: Re: Review of 2.2.x security patch sought.

Just a quick /nag that I'm happy to roll 2.2.30 in conjunction with 2.4.14,  
so that we present both to the community at the same time, and simplify
the announcement.  This patch still needs a third +1 to be adopted (it is
already in trunk, and in the 2.4.14 Jim will be tagging & rolling shortly).

...
...
...

Re: Roll 2.2.30 in conjunction with 2.4.14

[William A Rowe Jr <wr...@rowe-clan.net>]

On Jun 11, 2015 8:22 AM, "Eric Covener" <co...@gmail.com> wrote:
>
> On Thu, Jun 11, 2015 at 9:08 AM William A Rowe Jr <wr...@rowe-clan.net>
wrote:
>>
>> But withholding a security fix for legacy server users?  Sounds like a
way to earn distrust of the user community, not reassure them that 2.4.14
is the best version available.
>
> +1

The 2.2 patches are in alignment with the resolved 2.4 security patches
plus relaxed trailing spaces rule. Yann and I have reviewed, still weeks
later 2.2.30 needs one more pair of eyeballs and a third +1 of the 2
patches.

I can T&R in the morning Friday if it has been reviewed, else it will be a
while before I can RM.

Re: Roll 2.2.30 in conjunction with 2.4.14

[Eric Covener <co...@gmail.com>]

On Thu, Jun 11, 2015 at 9:08 AM William A Rowe Jr <wr...@rowe-clan.net>
wrote:

> But withholding a security fix for legacy server users?  Sounds like a way
> to earn distrust of the user community, not reassure them that 2.4.14 is
> the best version available.
>
+1

Re: Roll 2.2.30 in conjunction with 2.4.14

[William A Rowe Jr <wr...@rowe-clan.net>]

I believe the opposite, that the announcement 2.4 contains enhancements,
bug fixes, and security fixes, and 2.2 legacy containing security fixes
will set user expectations.  A later 2.2 announce muddies the waters when
users ponder if it is 'current' and sufficient.  We have language in both
files to clarify this, but still...

Another way to put it is that 2.2.30 shouldn't be a headline and receive
its own announcement, but sit as a sidebar of our significant public
message that 2.4 release is out.

But withholding a security fix for legacy server users?  Sounds like a way
to earn distrust of the user community, not reassure them that 2.4.14 is
the best version available.  Whose interest does that serve?

Not ours, it leaves the risk in place between 2.2 and 2.4 instances because
request splitting attacks require agents to interpret request length
indications differently.  Updating every affected server is the responsible
action by the user, and a security release is rarely a smart moment in time
to perform a major upgrade (config changes etc) without proper testing of
those configs and services.
 On Jun 11, 2015 4:27 AM, "Steffen" <in...@apachelounge.com> wrote:

>   Not so happy to roll 2.2.30 in conjunction with 2.4.14.
>
> It does not stimulate pp to upgrade to 2.4., it suggest that the
> httpd-project gives 2.2 (legacy) the same priority as 2.4.
>
> Better first 2.4 and after some time 2.2. I do not agree with the argument
> to simplify the announcement.
>
>
>
>  *From:* William A Rowe Jr <wr...@rowe-clan.net>
> *Sent:* Thursday, June 11, 2015 4:54 AM
> *Newsgroups:* gmane.comp.apache.devel
> *To:* httpd <de...@httpd.apache.org>
> *Subject:* Re: Review of 2.2.x security patch sought.
>
>  Just a quick /nag that I'm happy to roll 2.2.30 in conjunction with
> 2.4.14,
> so that we present both to the community at the same time, and simplify
> the announcement.  This patch still needs a third +1 to be adopted (it is
> already in trunk, and in the 2.4.14 Jim will be tagging & rolling shortly).
>
> ...
> ...
> ...
>