[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question whether to drop support for Apache 2.0 < 2.0.44

Chris Travers wrote:
Hi all;

I am wondering what people think of dropping support for Apache from
versions 2.0.0 through 2.0.43 as of LedgerSMB 1.3.  These versions
have a bug in them which we currently work around involving escaping
urls.  The bug was corrected in 2.1, 2.2, and 2.0.44.

My own preference is to assume that bugs fixed in a stable branch of
software should be deemed fixed in our code as well.   This helps
encourage people to be up to date (within the stable branch) and
therefore helps encourage better security.

But if these updates are not readily available to users, I think we
should still support the older version.  Any feedback?

My view and 2c worth.
I am quite a Debian fan (read bigot :) and I am aware the Debian often trails other distributions for package releases. Saying that even Debian stable http://packages.debian.org/cgi-bin/search_packages.pl?keywords=apache&searchon=names&subword=1&version=stable&release=all has Apache 2.0.54 (and of course 1.3.33)

If a server is still running Aache < 2.0.44 I suspect that there may be more to worry about that just Apache. Could be a good prompt for people to look at their system.

As long as the dependency is made very CLEAR I think this is a good idea and if it helps clear out and make simpler the code, an even better idea.