[Discuss] Rolling a 'final' 2.2.33 release

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discuss] Rolling a 'final' 2.2.33 release

William A Rowe Jr
Per to our discussion last year, this EOL is here. That discussion
resulted in the following Announcement statement;

   We consider the Apache HTTP Server 2.4 release to be the best version
   of Apache available, and encourage users of 2.2 and all prior versions
   to upgrade. This 2.2 maintenance release is offered for those unable
   to upgrade at this time.

   Please note that Apache Web Server Project will only provide maintenance
   releases of the 2.2.x flavor through June of 2017, and will provide some
   security patches beyond this date through at least December of 2017.
   Minimal maintenance patches of 2.2.x are expected throughout this period,
   and users are strongly encouraged to promptly complete their transitions
   to the the 2.4.x flavor of httpd to benefit from a much larger assortment
   of minor security and bug fixes as well as new features.

If we incorporate apr[-util] 1.6, that would remove expat from this
final 2.2 release. If we do this, we need to backport various build
logic charges, backporting those changes for all build schemas.
I believe Windows and Netware have unified expat builds, and
the httpd-level solution files would need to be regenerated to
consume externally built expat (as apr-util already does); going
that far, it likely makes sense to incorporate externally build pcre.

The alternative I prefer is to roll with the final apr[-util] 1.5 releases
as the 2.2.32 tarball had, and include the same warning as given
in the 2.2 release announcement;

   This release includes the Apache Portable Runtime (APR) version 1.5.2
   and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
   and zip distributions. The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.
   APR version 1.5 and APR-util version 1.5 represent minor version upgrades
   from earlier httpd 2.2 source distributions.

   Note this package also includes very stale and known-vulnerable versions
   of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/]
   packages. Users are strongly encouraged to first install the most recent
   versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)

Thoughts/comments? Patches to hold for before we roll? If I don't hear
otherwise, and we stick to the simpler alternative, then I'd plan to roll
these candidates Thursday.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Discuss] Rolling a 'final' 2.2.33 release

William A Rowe Jr
On Wed, Jun 14, 2017 at 4:12 PM, William A Rowe Jr <[hidden email]> wrote:
>
>    Please note that Apache Web Server Project will only provide maintenance
>    releases of the 2.2.x flavor through June of 2017, and will provide some
>    security patches beyond this date through at least December of 2017.
>    Minimal maintenance patches of 2.2.x are expected throughout this period,
>    and users are strongly encouraged to promptly complete their transitions
>    to the the 2.4.x flavor of httpd to benefit from a much larger assortment
>    of minor security and bug fixes as well as new features.

Just FYI, we've just about reached the 50% inflection point
I anticipated, it likely happens around the end of July;

https://w3techs.com/technologies/history_details/ws-apache/2

Now this might suggest that continuing to release 2.2 is important,
but that would be a misunderstanding of what "apache 2.2" means;

https://w3techs.com/technologies/details/ws-apache/2.2/all

As the list illustrates, 5 months later, only 2.5% of the 2.2 sites (~0.6%
or so of the total apache sites) had updated to 2.2.32 released in Jan.

Given the text above, this shouldn't come as a surprise, since users
likely adopted 2.4 rather than updating to another 2.2 release.

The majority of these 2.2 sites simply won't be updating their version
of httpd 2.2 again until their entire site is redeployed to a new server.
You can contrast this to the behavior of 2.4 administrators;

https://w3techs.com/technologies/details/ws-apache/2.4/all

Here, over 25% of 2.4 sites adopted 2.4.25 during the same time period.

Publishing security patches will help different vendors coordinate the
patches used to correct legacy releases they support, but will likely
not have a great impact on the typical httpd user, directly. We are
facing diminishing odds of users installing a 2.2 maintenance release
or patch from sources.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Discuss] Rolling a 'final' 2.2.33 release

Yann Ylavic
In reply to this post by William A Rowe Jr
On Wed, Jun 14, 2017 at 11:12 PM, William A Rowe Jr <[hidden email]> wrote:
>
> The alternative I prefer is to roll with the final apr[-util] 1.5 releases
> as the 2.2.32 tarball had, and include the same warning as given
> in the 2.2 release announcement;

+1

>
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.

Three patches (missing a single vote) in STATUS already, +1 with them in.

Thanks Bill to take care of the old lady :)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Discuss] Rolling a 'final' 2.2.33 release

William A Rowe Jr
On Thu, Jun 15, 2017 at 2:47 AM, Yann Ylavic <[hidden email]> wrote:
> On Wed, Jun 14, 2017 at 11:12 PM, William A Rowe Jr <[hidden email]> wrote:
>>
>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>> these candidates Thursday.
>
> Three patches (missing a single vote) in STATUS already, +1 with them in.

Just finished reviewing, so everything in there is cleared for backport.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Discuss] Rolling a 'final' 2.2.33 release

Eric Covener
On Thu, Jun 15, 2017 at 10:18 AM, William A Rowe Jr <[hidden email]> wrote:
>>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>>> these candidates Thursday.

One more w/ bundled deps sounds OK.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Discuss] Rolling a 'final' 2.2.33 release

Ruediger Pluem


On 06/15/2017 04:49 PM, Eric Covener wrote:
> On Thu, Jun 15, 2017 at 10:18 AM, William A Rowe Jr <[hidden email]> wrote:
>>>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>>>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>>>> these candidates Thursday.
>
> One more w/ bundled deps sounds OK.
>

+1 to the simpler alternative.

Regards

RĂ¼diger
Loading...