Mailing List Archive

Date in announcement is still :
September 21, 2018

> Op 1 aug. 2020 om 16:13 heeft Daniel Ruggeri <daniel@bitnebula.com> het volgende geschreven:
>
> ?Hi, all;
> Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>
> --
> Daniel Ruggeri
>
>

Le 01/08/2020 à 16:13, Daniel Ruggeri a écrit :
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>

+1

Tested on Ubuntu 20.04
Gcc 9.3.0
maintainer-mode
APR latest 1.7.x branch (i.e 1.7.0+)
APR-UTIL latest 1.6.x branch (i.e 1.6.1+)
Tested with event, prefork, worker

Thx for RMing.

CJ

+1 to release on Windows

0 for code analyses and warnings

Steffen

Ps.

Attached:


HTTPD Warnings Win32 : 238 (now with code analyses)
HTTPD Win64 warnings with code analyses on Request.

Could be better


For who is interested Win32 APR 1.7.0 APR-UTIL 1.6.1 : 91 (with code
analyses)





On Saturday 01/08/2020 at 16:13, Daniel Ruggeri wrote:
> Hi, all;
> Third time is a charm! Please find below the proposed release
> tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256:
> 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>
> --
> Daniel Ruggeri
>
>

On 02/08/2020 00:13, Daniel Ruggeri wrote:

> Hi, all;
> Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

All good running on slackware 13.1 through to -current

built with included APR 1.7.0, APR-Util 1.6.1

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so. If
you are not the intended recipient, please notify the sender then delete
all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

On Sat, Aug 1, 2020 at 4:14 PM Daniel Ruggeri <daniel@bitnebula.com> wrote:
>
> Hi, all;
> Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [x] +1: It's not just good, it's good enough!

Tested on Debian 10 "Buster", apr 1.6 + apr-util 1.6, openssl 1.1, php-fpm 7.3.
Verified all signatures and digests (nit: do we still need to publish
the .md5 ones?)

Thanks Daniel!

Luca

On Sat, Aug 01, 2020 at 09:13:29AM -0500, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [X] +1: It's not just good, it's good enough!

+1 for release, tested in Fedora 32, and thanks again-again.

Regards, Joe

On 01/08/2020 16:13, Daniel Ruggeri wrote:
> [X] +1: It's not just good, it's good enough!

Passed on fedroa32 x86_64.

--
Cheers

Jean-Frederic

On Sat, Aug 1, 2020 at 4:14 PM Daniel Ruggeri <daniel@bitnebula.com> wrote:
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:

[X] +1: It's not just good, it's good enough!

All good in my testing, thanks Daniel for RMing.

On Sat, Aug 1, 2020 at 10:14 AM Daniel Ruggeri <daniel@bitnebula.com> wrote:
>
> Hi, all;
> Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!

+1

On 8/1/20 4:13 PM, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>
+1, tested on Fedora32 and OpenBSD-current.

Giovanni

For my own +1... tested under the following versions:

system:
  kernel:
    name: Linux
    release: 4.19.0-10-amd64
    version: #1 SMP Debian 4.19.132-1 (2020-07-24)
    machine: x86_64

  libraries:
    openssl: "1.1.1g"
    openldap: "2.4.50"
    apr: "1.7.0"
    apr-util: "1.6.1"
    iconv: "1.2.2"
    brotli: "1.0.7"
    nghttp2: "1.41.0"
    zlib: "1.2.11"
    pcre: "8.44"
    libxml2: "2.9.9"
    php: "7.4.8"
    lua: "5.3.5"
    curl: "7.71.1"

--
Daniel Ruggeri

On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>

On 8/1/2020 7:13 AM, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>
+1 on Windows VS15 & 16 built at command line.

[x] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

Debian 10 build.

Am 01.08.2020 um 16:13 schrieb Daniel Ruggeri:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.

+1 to release and thanks a bunch for multi-RM!

Summary: all OK except for

- 12 shutdown crashes on Solaris, all for prefork (already observed
previously). Happens in mod_watchdog during server shutdown.
gdb info at end. Not a regression.

Detailed report:

- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
except for expected deltas

Built and test results based on 2.4.45 but are valid for 2.4.46 due to
the minimal code change between them.

Built on

- Solaris 10 Sparc as 32 Bit Binaries
- SLES 11+12+15 (64 Bits)
- RHEL 6+7+8 (64 Bits)

For all platforms built

- with default (shared) and static modules
- with module set reallyall
- using --enable-load-all-modules
- against external APR/APU 1.7.0/1.6.1
plus APR/APU 1.6.5/1.6.1
plus APR/APU 1.7.x r1880146/1.7.x r1880148 with expat
plus APR/APU 1.7.x r1880146/1.7.x r1880148 with libxml2
plus APR/APU from deps tarball

- using external libraries
- expat 2.2.9
- pcre 8.44
- lua 5.3.5 (compiled with LUA_COMPAT_MODULE)
- libxml2 2.9.10
- libnghttp2 1.41.0
- brotli 1.0.7
- curl 7.71.1
- jansson 2.13.1
- libldap 2.4.50
and
- openssl 0.9.8zh, 1.0.2, 1.0.2u, 1.0.1e, 1.0.1l, 1.1.1, 1.1.1g plus
patches (head of master on 2020-07-11), 3.0.0alpha5

- Tool chain:
- platform gcc except on Solaris
(gcc 9.3.0 Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
- on Solaris additionally -mpcu=v9, -D_XOPEN_SOURCE,
-D_XOPEN_SOURCE_EXTENDED=1, -D__EXTENSIONS__
and -D_XPG6

All of the 1064 builds succeeded.

- compiler warnings:

- only on Solaris (GCC 9.3.0):
srclib/apr/locks/unix/proc_mutex.c:979:49: warning:
'mutex_proc_pthread_cond_methods' defined but not used
[-Wunused-const-variable=]

- deprecation warnings when building against OpenSSL 3.0.0, see other
thread


Tested for

- Solaris 10, SLES 11+12+15, RHEL 6+7+8
- MPMs prefork, worker, event
- default and static module builds
- log level trace8
- module set reallyall (128 modules plus 3 MPMs)
- Perl client bundle build against OpenSSL 1.1.1g plus patches, 1.1.0l,
1.0.2u and 0.9.8zh
- OpenSSL once linked statically and once as a shared library

Every OpenSSL version in the client tested with every OpenSSL version in
the server. Nearly all tests with dynamically linked OpenSSL are done.

The total number of test suite runs was 5913 (many more to come ...).

Some local adjustments to tests were used:

- t/modules/buffer.t: removing huge buffer tests
- my $bigsize = 100000;
+ my $bigsize = 10000;

- fixing "sub which" in Apache-Test/lib/Apache/TestConfig.pm
+ # No need to search PATH components
+ # if $program already contains a path
+ return $program if !OSX and !WINFU and
+ $program =~ /\// and -f $program and -x $program;
+

- fixing limitrequestline overwrite which does not yet really work

The following test failures were seen:

a Crashes only on Solaris, only with prefork MPM and
dynamically linked builds.
The crash seems to happen only at the end of a process during pchild
clean up and it might be problematic, that the watchdog thread at that
time still exists.
gdb info see at end.

b Tests 2 of t/apache/pr35292.t
Tests 2 at line 29
Only once on Solaris. Unclear failure showing the socket
was disconected, but the next test case sees correct response content.

c Tests 27 and 28 of t/modules/http2.t
Tests 27 and 28 at lines 303 and 304
Response status and content length undef for
test case: TC0015, necho.pl 100000x10:
GET
http://localhost:8536/modules/h2/necho.pl?count=100000&text=0123456789
Only once on Solaris.

d Tests 207 and 265 of t/ssl/proxy.t
eat_post received "502 Proxy Error".
Each of the two failed test cases only once on Solaris.

e OpenSSL 3.0.0 and t/ssl/proxy.t
eat_post fails always, see other thread about OpenSSL 3.0.0

f All https tests fail between OpenSSL 0.9.8zh and 3.0.0alpha5
Probably need to figure out how to load the legacy provider
during the tests

g Test 5 in t/modules/dav.t line 69:
Not a regression.
Only once on SLES 11.
Creation, modified and now times not in the correct order.
Reason unknown, the test for Linux *no longer* run on NFS,
instead on tmpfs.

h Tests 42, 45, 48, 51, 54 in t/modules/cgi.t line 232:
Not a regression
Only on Solaris
355 failed test runs out of 470
Test checks log contents. Could be false positive due to
logs written to NFS.

Regards,

Rainer

GDB info (sporadic) Solaris shutdown crashes during OpenSSL shutdown in
mod_watchdog:

----------------- lwp# 1 / thread# 1 --------------------
ff07b670 apr_pool_destroy (393280, 41d848, ffbfee19, 38c8a0, 393268,
1018) + 284
fed529e0 clean_child_exit (7, 22f, 3, 3, 9, cc4b0) + 60
fed52f2c child_main (fed6b93c, fed6b938, 9c71c, fed6b954, fed6b944,
9becc) + 344
fed535fc make_child (cc4b0, 2, 2, 392e50, 1, 0) + 1d0
fed545e4 prefork_run (0, ffbfefdc, ffbfefc8, fed6b94c, 9becc,
fed6b95c) + 91c
00039e64 ap_run_mpm (a7338, ce008, cc4b0, 9bd3c, 0, 1eaa08) + 54
00075cfc main (37a54, 9b718, 76d90, 9becc, 9beb8, a53c0) + 9b4
00031654 _start (0, 0, 0, 0, 0, 0) + 5c
----------------- lwp# 2 / thread# 2 --------------------
fee42480 mutex_lock_impl (fce10200, 0, 0, 0, fd839278, 0) + 168
fd827ff8 __deregister_frame_info_bases (fd8392a8, 0, 0, 0, fd839290,
0) + d8
fd82130c ???????? (0, 0, fd8392a0, fd839628, 0, fd83962c)
fd828540 _fini (ff3f418c, ff3f5b10, 2ae70, 0, ff3f48e8, 1821) + 4
ff3c5a5c call_fini (ff3f418c, febc1058, fd82853c, ff3f4380, ff3f4338,
ff3f48e8) + cc
ff3c5c2c atexit_fini (ff3f418c, 2ed28, fee42cc0, ff3f48e8, fce10200,
febc1058) + 78
fedc2374 _exithandle (feeb7500, feeb5900, 1c00, feeb9330, 24, 222c88) + 40
fedb0790 exit (0, 222c88, ff076cc8, 0, fce10200, 38c904) + 4
fed52a18 clean_child_exit (0, 0, 0, 0, 0, 0) + 98
fed52a3c just_die (f, 0, fcdfba70, 1, 0, 0) + 4
fee4961c __sighndlr (f, 0, fcdfba70, fed52a38, 0, 1) + c
fee3dce8 call_user_handler (f, 0, 0, 0, fce10200, fcdfba70) + 3b8
fee3ded0 sigacthandler (f, 0, fcdfba70, 0, 0, 0) + 60
--- called from signal handler with signal 15 (SIGTERM) ---
fee4cdc0 __pollsys (fcdfbde8, 0, fcdfbe50, 0, 0, 0) + 8
fede8590 pselect (fcdfbde8, feeb4728, feeb4728, 0, fcdfbe50, 0) + 1c8
fede8908 select (0, 0, 0, 0, fcdfbeb8, f4240) + a0
ff087d20 apr_sleep (0, 186a0, a129c, a1298, 0, 0) + 4c
fe372f30 wd_worker (fe389744, 3900b0, 1, fcdfbf38, 5abe9, 815e16a) + 348
ff087274 dummy_worker (390ef0, fcdfc000, 0, 0, ff087268, 1) + c
fee494f0 _lwp_start (0, 0, 0, 0, 0, 0)

On Tue, Aug 04, 2020 at 01:48:08PM +0200, Rainer Jung wrote:
> GDB info (sporadic) Solaris shutdown crashes during OpenSSL shutdown in
> mod_watchdog:

Awesome level of testing as usual, thanks Rainer!

I see similar crashes with mod_watchdog active for 2.4 prefork. I think
the trigger is also loading mod_md, which causes mod_watchdog to have
active threads? May be wrong.

I started investigating mod_watchdog mutex abuse (r1876511) but in the
end concluded that prefork ungraceful shutdown is inherently broken
because it does everything inside a signal handler in each child, which
is totally unsafe and unsurprisingly crashy.

In this case you have:

1) a child's main thread exiting with APEXIT_CHILDSICK (from first
argument == 7 == APEXIT_CHILDSICK) - possibly the listener mutex got
whacked by the parent?

2) there is a mod_watchdog thread which caught SIGTERM and is handling
that at the same time.

It seems pretty daft that the mod_watchdog thread is catching any
signals. It looks like wd_worker() should call
apr_setup_signal_thread() to block such signals - if fact any thread use
within httpd outside of the MPMs should be doing that?

Regards, Joe

>
> ----------------- lwp# 1 / thread# 1 --------------------
> ff07b670 apr_pool_destroy (393280, 41d848, ffbfee19, 38c8a0, 393268, 1018)
> + 284
> fed529e0 clean_child_exit (7, 22f, 3, 3, 9, cc4b0) + 60
> fed52f2c child_main (fed6b93c, fed6b938, 9c71c, fed6b954, fed6b944, 9becc)
> + 344
> fed535fc make_child (cc4b0, 2, 2, 392e50, 1, 0) + 1d0
> fed545e4 prefork_run (0, ffbfefdc, ffbfefc8, fed6b94c, 9becc, fed6b95c) +
> 91c
> 00039e64 ap_run_mpm (a7338, ce008, cc4b0, 9bd3c, 0, 1eaa08) + 54
> 00075cfc main (37a54, 9b718, 76d90, 9becc, 9beb8, a53c0) + 9b4
> 00031654 _start (0, 0, 0, 0, 0, 0) + 5c
> ----------------- lwp# 2 / thread# 2 --------------------
> fee42480 mutex_lock_impl (fce10200, 0, 0, 0, fd839278, 0) + 168
> fd827ff8 __deregister_frame_info_bases (fd8392a8, 0, 0, 0, fd839290, 0) +
> d8
> fd82130c ???????? (0, 0, fd8392a0, fd839628, 0, fd83962c)
> fd828540 _fini (ff3f418c, ff3f5b10, 2ae70, 0, ff3f48e8, 1821) + 4
> ff3c5a5c call_fini (ff3f418c, febc1058, fd82853c, ff3f4380, ff3f4338,
> ff3f48e8) + cc
> ff3c5c2c atexit_fini (ff3f418c, 2ed28, fee42cc0, ff3f48e8, fce10200,
> febc1058) + 78
> fedc2374 _exithandle (feeb7500, feeb5900, 1c00, feeb9330, 24, 222c88) + 40
> fedb0790 exit (0, 222c88, ff076cc8, 0, fce10200, 38c904) + 4
> fed52a18 clean_child_exit (0, 0, 0, 0, 0, 0) + 98
> fed52a3c just_die (f, 0, fcdfba70, 1, 0, 0) + 4
> fee4961c __sighndlr (f, 0, fcdfba70, fed52a38, 0, 1) + c
> fee3dce8 call_user_handler (f, 0, 0, 0, fce10200, fcdfba70) + 3b8
> fee3ded0 sigacthandler (f, 0, fcdfba70, 0, 0, 0) + 60
> --- called from signal handler with signal 15 (SIGTERM) ---
> fee4cdc0 __pollsys (fcdfbde8, 0, fcdfbe50, 0, 0, 0) + 8
> fede8590 pselect (fcdfbde8, feeb4728, feeb4728, 0, fcdfbe50, 0) + 1c8
> fede8908 select (0, 0, 0, 0, fcdfbeb8, f4240) + a0
> ff087d20 apr_sleep (0, 186a0, a129c, a1298, 0, 0) + 4c
> fe372f30 wd_worker (fe389744, 3900b0, 1, fcdfbf38, 5abe9, 815e16a) + 348
> ff087274 dummy_worker (390ef0, fcdfc000, 0, 0, ff087268, 1) + c
> fee494f0 _lwp_start (0, 0, 0, 0, 0, 0)
>

On Sat, Aug 1, 2020 at 9:13 AM Daniel Ruggeri <daniel@bitnebula.com> wrote:

> Hi, all;
> Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
>

From the peanut gallery;

[?] +1: It's not just good, it's as good as can be expected!

Windows via cmake, ubuntu 16, 18, 20 LTS's and centos 7, 8.

On Sat, Aug 1, 2020 at 9:13 AM Daniel Ruggeri <daniel@bitnebula.com> wrote:

> Hi, all;
> Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/


Just as a footnote to 2.4.46, as mentioned before mod_lua won't compile
against the
current lua release 5.4.0. Can this be mentioned in the release
announcement that
the lua 5.3.5 release or earlier is still required? (It's my guess that
after breaking the
API with the release of 5.4.0, they aren't about to revert that change in a
later flavor.)

Hi, all;

   With 12 binding PMC +1 votes, two additional +1 votes from the
community, and no -1 votes, I'm pleased to report that the vote has
PASSED to release 2.4.46. I will begin the process of pushing to the
distribution mirrors which should enable us for a Friday announcement -
a great way to wrap up the week!

Here are the votes I recorded during the thread:
PMC
jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
gbechis, gsmith, druggeri, jblond, rjung

Community
Noel Butler, wrowe

--
Daniel Ruggeri

On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>

Following the announcement link, it isn't clear that

https://httpd.apache.org/security/vulnerabilities_24.html

fixes issues in 2.4.46.

Should the fixed-in be promoted to the revision of Apache HTTP Server
actually published (released) by the project? It almost reads like "fixed in
2.4.46-dev" (which 0-day disclosures are described as, until a release
is actually published.)

On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri <daniel@bitnebula.com> wrote:

> Hi, all;
>
> With 12 binding PMC +1 votes, two additional +1 votes from the
> community, and no -1 votes, I'm pleased to report that the vote has
> PASSED to release 2.4.46. I will begin the process of pushing to the
> distribution mirrors which should enable us for a Friday announcement -
> a great way to wrap up the week!
>
> Here are the votes I recorded during the thread:
> PMC
> jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
> gbechis, gsmith, druggeri, jblond, rjung
>
> Community
> Noel Butler, wrowe
>
> --
> Daniel Ruggeri
>
> On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> > Hi, all;
> > Third time is a charm! Please find below the proposed release tarball
> > and signatures:
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release this
> > candidate tarball as 2.4.46:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> > sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> > *httpd-2.4.46.tar.gz
> > sha512:
> >
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> > *httpd-2.4.46.tar.gz
> >
> > The SVN tag is '2.4.46' at r1880505.
> >
>
>

Hi, Bill;
   I wondered about this myself. I agree that we allow for ambiguity
when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't
released). Perhaps we should just bump the 'fixed' version up to the
released version... but then we should also add to the 'affected'
versions the version numbers we burned during QA. That's odd, too,
because we didn't release those versions so they aren't really 'affected'.

   I could go either way... the vulnerability reporting is enough "after
work" for a release that makes it a prime candidate for processing it
with announce.sh, so I'm happy to encode whatever we consider the best
way forward into that script.

--
Daniel Ruggeri

On 8/7/2020 8:56 AM, William A Rowe Jr wrote:
> Following the announcement link, it isn't clear that 
>
> https://httpd.apache.org/security/vulnerabilities_24.html 
>
> fixes issues in 2.4.46.
>
> Should the fixed-in be promoted to the revision of Apache HTTP Server
> actually published (released) by the project? It almost reads like
> "fixed in
> 2.4.46-dev" (which 0-day disclosures are described as, until a release
> is actually published.)
>
> On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri <daniel@bitnebula.com
> <mailto:daniel@bitnebula.com>> wrote:
>
> Hi, all;
>
>    With 12 binding PMC +1 votes, two additional +1 votes from the
> community, and no -1 votes, I'm pleased to report that the vote has
> PASSED to release 2.4.46. I will begin the process of pushing to the
> distribution mirrors which should enable us for a Friday
> announcement -
> a great way to wrap up the week!
>
> Here are the votes I recorded during the thread:
> PMC
> jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
> gbechis, gsmith, druggeri, jblond, rjung
>
> Community
> Noel Butler, wrowe
>
> --
> Daniel Ruggeri
>
> On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> > Hi, all;
> >    Third time is a charm! Please find below the proposed release
> tarball
> > and signatures:
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release this
> > candidate tarball as 2.4.46:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> > sha256:
> 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> > *httpd-2.4.46.tar.gz
> > sha512:
> >
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> > *httpd-2.4.46.tar.gz
> >
> > The SVN tag is '2.4.46' at r1880505.
> >
>

?I don’t see why a verbiage similar to “Fixed in Apache httpd-2.4.44 (not released to the public)” couldn’t be used: this is, after all, a true statement.

While it should be common understanding that newer code versions carry improvements and fixes from previous ones, maybe this should be clarified on the initial paragraphs of the vulnerabilities page.

Last but not least, this also resolves thoughts of “where is 2.4.44, I cannot find it” (although only if one browses to the vulnerabilities page).

What I am not sure, however, is how much this affects the existing automation workflow.

Alex

> On Aug 8, 2020, at 08:27, Daniel Ruggeri <daniel@bitnebula.com> wrote:
>
> ?Hi, Bill;
> I wondered about this myself. I agree that we allow for ambiguity
> when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't
> released). Perhaps we should just bump the 'fixed' version up to the
> released version... but then we should also add to the 'affected'
> versions the version numbers we burned during QA. That's odd, too,
> because we didn't release those versions so they aren't really 'affected'.
>
> I could go either way... the vulnerability reporting is enough "after
> work" for a release that makes it a prime candidate for processing it
> with announce.sh, so I'm happy to encode whatever we consider the best
> way forward into that script.
>
> --
> Daniel Ruggeri
>
>> On 8/7/2020 8:56 AM, William A Rowe Jr wrote:
>> Following the announcement link, it isn't clear that
>> https://httpd.apache.org/security/vulnerabilities_24.html
>> fixes issues in 2.4.46.
>> Should the fixed-in be promoted to the revision of Apache HTTP Server
>> actually published (released) by the project? It almost reads like
>> "fixed in
>> 2.4.46-dev" (which 0-day disclosures are described as, until a release
>> is actually published.)
>> On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri <daniel@bitnebula.com
>> <mailto:daniel@bitnebula.com>> wrote:
>> Hi, all;
>> With 12 binding PMC +1 votes, two additional +1 votes from the
>> community, and no -1 votes, I'm pleased to report that the vote has
>> PASSED to release 2.4.46. I will begin the process of pushing to the
>> distribution mirrors which should enable us for a Friday
>> announcement -
>> a great way to wrap up the week!
>> Here are the votes I recorded during the thread:
>> PMC
>> jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
>> gbechis, gsmith, druggeri, jblond, rjung
>> Community
>> Noel Butler, wrowe
>> --
>> Daniel Ruggeri
>>> On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
>>> Hi, all;
>>> Third time is a charm! Please find below the proposed release
>> tarball
>>> and signatures:
>>> https://dist.apache.org/repos/dist/dev/httpd/
>>> I would like to call a VOTE over the next few days to release this
>>> candidate tarball as 2.4.46:
>>> [ ] +1: It's not just good, it's good enough!
>>> [ ] +0: Let's have a talk.
>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>> The computed digests of the tarball up for vote are:
>>> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
>>> sha256:
>> 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
>>> *httpd-2.4.46.tar.gz
>>> sha512:
>> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
>>> *httpd-2.4.46.tar.gz
>>> The SVN tag is '2.4.46' at r1880505.