Mailing List Archive

+1 on Debian 11

stefan@eissing.org <stefan@eissing.org> schrieb am Do., 7. Okt. 2021, 15:17:

> Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will
> skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
> sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4
> *httpd-2.4.51-rc1.tar.gz
> sha512:
> 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157
> *httpd-2.4.51-rc1.tar.gz
>
> The SVN candidate source is found at tags/candidate-2.4.51-rc1.
>
> Kind Regards,
> Stefan

+1 on Fedora 34

On 2021/10/07 13:17:36, "stefan@eissing.org" <stefan@eissing.org> wrote:
> Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
> sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4 *httpd-2.4.51-rc1.tar.gz
> sha512: 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157 *httpd-2.4.51-rc1.tar.gz
>
> The SVN candidate source is found at tags/candidate-2.4.51-rc1.
>
> Kind Regards,
> Stefan

> Am 07.10.2021 um 15:17 schrieb stefan@eissing.org:
>
> Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
> sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4 *httpd-2.4.51-rc1.tar.gz
> sha512: 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157 *httpd-2.4.51-rc1.tar.gz
>
> The SVN candidate source is found at tags/candidate-2.4.51-rc1.
>
> Kind Regards,
> Stefan

+1 on macOS.

On 10/7/21 3:17 PM, stefan@eissing.org wrote:
> Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
> sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4 *httpd-2.4.51-rc1.tar.gz
> sha512: 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157 *httpd-2.4.51-rc1.tar.gz
>
> The SVN candidate source is found at tags/candidate-2.4.51-rc1.
>

+1 on RedHat 8

Regards

Rüdiger

On Thu, Oct 07, 2021 at 03:17:36PM +0200, stefan@eissing.org wrote:
> Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [X] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
> sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4 *httpd-2.4.51-rc1.tar.gz
> sha512: 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157 *httpd-2.4.51-rc1.tar.gz

+1 for release, tested on Fedora 34 and RHEL8.

Regards, Joe

On Thu, Oct 7, 2021 at 9:17 AM stefan@eissing.org <stefan@eissing.org> wrote:
>
> Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

+1 AIX/xlc/ppc64

+1 looks ok on Windows


On Thursday 07/10/2021 at 15:17, stefan@eissing.org wrote:
> Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security
> team
> feels it is necessary to do a new release on very short notice. We
> will skip
> the usual 3 day voting period and close the vote once we feel
> comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to
> release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f
> *httpd-2.4.51-rc1.tar.gz
> sha256:
> c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4
> *httpd-2.4.51-rc1.tar.gz
> sha512:
> 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157
> *httpd-2.4.51-rc1.tar.gz
>
> The SVN candidate source is found at tags/candidate-2.4.51-rc1.
>
> Kind Regards,
> Stefan

On Thu, Oct 7, 2021 at 3:17 PM stefan@eissing.org <stefan@eissing.org> wrote:
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:

+1 on Debian 10 and 11.

Thanks Stefan!

ASF release policy [1] suggests that we have a >=72 hour voting period
for releases, but this is a "SHOULD" not a hard rule. Due to:

a) the severity of the issue being fixed, and

b) the extensive review and testing which the patch has received both
here and off-list, and

c) the fact we already have sufficient binding votes on the release,
with no negative feedback either from PMC members or the community

my recommendation as PMC Chair is that we close the vote now and ship
the update. Normal 72+ hour release votes must be resumed after this.

Regards, Joe

[1] https://www.apache.org/legal/release-policy.html

+1 Cent6/7/8 Ubuntu 20.04

Thanks,
Cory McIntire
PO ? cPanel Security Team
Release Manager ? EasyApache
cPanel / WebPros


From: stefan@eissing.org <stefan@eissing.org>
Date: Thursday, October 7, 2021 at 8:17 AM
To: dev@httpd.apache.org <dev@httpd.apache.org>
Subject: [VOTE] Release httpd-2.4.51-rc1 as httpd-2.4.51
Hi all,

due to found security weaknesses in our 2.4.50 release, the security team
feels it is necessary to do a new release on very short notice. We will skip
the usual 3 day voting period and close the vote once we feel comfortable
with our testing.

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days^h^h^h^hhours to release
this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
[ ] +1: It's not just good, it's hopefully good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4 *httpd-2.4.51-rc1.tar.gz
sha512: 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157 *httpd-2.4.51-rc1.tar.gz

The SVN candidate source is found at tags/candidate-2.4.51-rc1.

Kind Regards,
Stefan

Then I close the vote and start pushing the release.

Thanks for everyone to participate here on such a short notice!

Kind Regards,
Stefan

> Am 07.10.2021 um 17:06 schrieb Joe Orton <jorton@redhat.com>:
>
> ASF release policy [1] suggests that we have a >=72 hour voting period
> for releases, but this is a "SHOULD" not a hard rule. Due to:
>
> a) the severity of the issue being fixed, and
>
> b) the extensive review and testing which the patch has received both
> here and off-list, and
>
> c) the fact we already have sufficient binding votes on the release,
> with no negative feedback either from PMC members or the community
>
> my recommendation as PMC Chair is that we close the vote now and ship
> the update. Normal 72+ hour release votes must be resumed after this.
>
> Regards, Joe
>
> [1] https://www.apache.org/legal/release-policy.html
>

+1 on Slackware64 -current

Alex

> On Oct 7, 2021, at 09:17, stefan@eissing.org wrote:
>
> ?Hi all,
>
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
> sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4 *httpd-2.4.51-rc1.tar.gz
> sha512: 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157 *httpd-2.4.51-rc1.tar.gz
>
> The SVN candidate source is found at tags/candidate-2.4.51-rc1.
>
> Kind Regards,
> Stefan

On 10/7/21 11:17, stefan@eissing.org wrote:
> Then I close the vote and start pushing the release.
>
> Thanks for everyone to participate here on such a short notice!
>

Well gee ... that was far too fast for me to catch!

I guess I will just go get the production release.



--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional