[Page 1, 2 Next]

Topic: Information on the Builds from Apache Lounge ?

[1]

Topic: Information on the Builds from Apache Lounge ?

[jpicazio]

How often are each build/patches released?

Are there any legal issues to be taken into consideration with using binaries from Apache lounge?

Have there been an meaningful quality issues?
How long has apache lounge been in existence?

What relation does apache lounge have with Apache.org?

Thank you for you time.

Sincerely,

Jeff

[admin]

Apache Lounge is making a build available when the source is voted as GA (General Availability) at the ASF (Apache Software Foundation). Till now approximately every half year. Patches are in principal not applied by us till the next GA, excluded ones official supplied by the ASF and it happens sometimes that Apache Lounge is applying an coming ASF or members patch, then it is made available in a separate build with a P in the download file name and explained in a forum post.

For newer external dependencies, like zlib, openssl etc. we are updating the download after testing.

Not aware/had legal issues with the builds. For the licenses and notices see the .txt files in the Apache folder of the download zip.

It is what you define as quality. I and a number of Apache Lounge moderators/users are testing it before a build goes GA, and the ASF is listening to Apache Lounge.

Since Jan 2003 there are Apache Lounge builds.

The moderators here and I participate in the development/testing at ASF, also with some authors of third party modules like mod_security. Two moderators and members here are official ASF committers.


Steffen

ps.
Changed the subject of your post to a little more meaningful.

[jpicazio]

Can an individual request a fix from Apache Lounge or does Apache Lounge simple apply fixes after they are released by ASF? If I understand what you had said correctly an individual would need to take a new version of APache to get fixes (you do not patch existing versions) and a person could be waiting 6 months for a fix. Am I reading what you said correctly?

Jeff

[glsmith]

I should leave this for Steffen to answer ... but;

I'll start with the second question first. For the most part yes, but security related fixes are dealt with by the ASF as quickly as possible. The last example is the range header attack 0-day that was just dropped on the world one day. Within days there were workarounds available and a fixed new release was out in 2 weeks (2.2.20). That had a regression in it which got fixed with another new release in another 2 weeks (2.2.21). Other non-security bug fixes can take some time to get done, depends on the severity. Enhancements are rarely ever added to a existing major.minor version.

For the first question. You can ask, whether Steffen fulfills your request is up to him. He has stated above that sometimes he'll release another package that has been patched. That usually means patching the current existing version. There are others here that build and might be willing to supply you with your request. It never hurts to ask, the worst that can happen is you get a "no" for an answer.

What fix are you looking for?

[jpicazio]

Could you help me find out in general how many people/organizations are using 2.4 version of Apache web server from this site? Do you have any data like that?

I suppose our concern is we do not want to be one of the first ones to try out the newest version.

Thanks,

Jeff

[admin]

It is thrilling to see how many are using the AL builds, including Professional/Commercial use. When I examine the downloads this year then I guess that we have over 100.000 installations/sites. Maybe even lot more, it is hard to guess because there are more sites that delivering our builds. Also our builds are used by others for their own build/download, like XAMPP from Apachefriends

Guess for 2.4 it is at least 50.000, maybe a lot more, we never know.

Btw, 2.4 is not that new anymore, the first GA was in Januari 2012, this after years testing beta etc.


Steffen

[jpicazio]

Does Apache Lounge provide "Diffs" on the files that have been modified/changed from apache?

Thanks,

Jeff

[Steffen]

It is noted in the changelog, http://www.apachelounge.com/Changelog-2.4.html

There is a section called "Apachelounge changes" and "ASF changes"

Steffen

[jpicazio]

Does this also reflect the exact code level changes or are there additional logs for that?

Thanks,

Jeff

[Steffen]

Till now it rarely happens and the exact change is mentioned in the Readme in the .zip.

Policy is: no changes in the ASF source. Sometime, like now with a APR patch, a patch in trunk is already applied here.

What is your worry ?

[jpicazio]

Specifically what I am looking for is what is the actual source code level that has changed, or even the matching source code with the release? Is it possible to have the entire source code for a particular release? It would be nice to have a raw version for security reasons.

[Steffen]

See http://httpd.apache.org/download.cgi
The Unix source is the same as Windows, except the linefeeds.

And see for details about changes http://svn.apache.org/viewvc/httpd/httpd/branches/

Steffen

[jpicazio]

Steffen,

I wasn't meaning changes apache.org has done, by previous reply was changes apache lounge has done?

[glsmith]

I honestly think there is some loss in translation going on here, EN->NL.
See: http://www.apachelounge.com/viewtopic.php?t=4955

as it was spit off from this topic even though it is directly about this topic.

[Steffen]

[jpicazio]

Steffen,

Do you have a contact we could speak with at a bank or larger organization that utilized apache lounge?

Thanks,

Jeff

[Steffen]

Nope, we do not disclose.

Better you build Apache yourself, then you are completely in control, but still you have to trust external parties and individuals. Or download from httpd.apache.org , but as stated above you have then same trust level.

Steffen

[jpicazio]

Hi Steffen,

I noted on http://httpd.apache.org/download.cgi the release date for 2.2.23 is (released 2012-09-13)
however on Apache lounge the release for 2.2.23 is posted at 24 Aug '12, I was curious what was the reason for the delta.

One more question, hypothetically when 2.2.24 is release what is the average time for apachelounge to release their build of 2.2.24 (or any future build on average) ?

Thanks!

Jeff

[Steffen]

The source is first released for voting, voting takes some time. When the voting tends to GA then I start building/testing the final. Also it takes some time that someone at ASF makes the announcement. Btw. the date of the source files is 21 Aug '12

[glsmith]

Let me add that 2.2.23 was a strange case. It was released for voting (usually 72 hours) and two weeks later the person who created the release had simply disappeared. Since it had the necessary +1 votes and no -1s, someone else finally picked it up, called the vote passed and moved the source to the download page. The announcement came a day or two after that which is normal, can be longer however when the person releasing forgets.